Bug 1759182

Summary: [4.1 backport] No RBAC method for setting ExternalIPs
Product: OpenShift Container Platform Reporter: Casey Callendrello <cdc>
Component: NetworkingAssignee: Aniket Bhat <anbhat>
Networking sub component: openshift-sdn QA Contact: Weibin Liang <weliang>
Status: CLOSED WONTFIX Docs Contact:
Severity: unspecified    
Priority: unspecified CC: anbhat, danw, eparis, weliang, zzhao
Version: 4.1.z   
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1752045 Environment:
Last Closed: 2020-03-26 14:07:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1759181    
Bug Blocks: 1751840    

Comment 2 Weibin Liang 2019-12-17 14:51:18 UTC 
@anbhat @ccallend

In v4.1, we do not support externalIP: policy: {},  
here is the log from "oc edit networks.config.openshift.io cluster" in both v4.1 and v4.3, 

spec:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16

#### v4.3 support externalIP: policy: {}
spec:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  externalIP:                    >>>>>>>>>>>>>> v4.1 do not have this
    policy: {}                   >>>>>>>>>>>>>>
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16


Look like I can not verify this bug in v4.1
Comment 3 zhaozhanqi 2019-12-18 09:01:09 UTC 

Check the CRD of 4.1, it did not supported the externalIP yet.

# oc get crd networks.config.openshift.io -o yaml | grep -i external

for 4.2 and after version

# oc get crd networks.config.openshift.io -o yaml | grep -i external -A 10
              externalIP:
                description: externalIP defines configuration for controllers that
                  affect Service.ExternalIP. If nil, then ExternalIP is not allowed
                  to be set.
                properties:
                  autoAssignCIDRs:
                    description: autoAssignCIDRs is a list of CIDRs from which to
                      automatically assign Service.ExternalIP. These are assigned
                      when the service is of type LoadBalancer. In general, this is
                      only useful for bare-metal clusters. In Openshift 3.x, this
                      was misleadingly called "IngressIPs". Automatically assigned
                      External IPs are not affected by any ExternalIPPolicy rules.
                      Currently, only one entry may be provided.
                    items:
                      type: string
                    type: array
                  policy:
                    description: policy is a set of restrictions applied to the ExternalIP
                      field. If nil or empty, then ExternalIP is not allowed to be
                      set.
                    properties:
                      allowedCIDRs:
                        description: allowedCIDRs is the list of allowed CIDRs.
                        items:
                          type: string
                        type: array
                      rejectedCIDRs:
                        description: rejectedCIDRs is the list of disallowed CIDRs.
                          These take precedence over allowedCIDRs.
Comment 8 Weibin Liang 2019-12-19 15:41:29 UTC 
Zhanqi,

You are right, I still see https://bugzilla.redhat.com/show_bug.cgi?id=1751840 in latest v4.1 code.

Wait the new PR for https://bugzilla.redhat.com/show_bug.cgi?id=1751840, then QE can verify this bug.
Comment 11 Dan Winship 2020-01-08 19:41:51 UTC 
bug 1758140 and this one are essentially the same bug.

If a normal user can create a service with an ExternalIP in a build of 4.1 that includes origin #23826, then that means this bug has FailedQE
Comment 12 Weibin Liang 2020-01-08 21:44:01 UTC 
Verifying failed in 4.1.0-0.nightly-2020-01-06-225053

[root@dhcp-41-193 FILE]# oc login -u testuser-0 -p gPb_u0NtGup-
Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

[root@dhcp-41-193 FILE]# oc new-project test
Now using project "test" on server "https://api.qe-weliang-aws41.qe.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app django-psql-example

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node

[root@dhcp-41-193 FILE]# oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/Features/PublishingServices/external-ip.yaml
service/hello-service1 created
pod/hello-pod-1 created
[root@dhcp-41-193 FILE]# oc get svc
NAME             TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)     AGE
hello-service1   ClusterIP   172.30.35.171   10.0.76.163   27018/TCP   4s
[root@dhcp-41-193 FILE]#
Comment 18 Scott Dodson 2020-03-26 14:07:09 UTC 
4.1 EOL is imminent and it does not make sense to fix this at this point in the lifecycle.