Bug 1759338
Summary: | [OVN] hostnetwork pod can access MCS port 22623 or 22624 on master | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Anurag saxena <anusaxen> |
Component: | Networking | Assignee: | Ricardo Carrillo Cruz <ricarril> |
Networking sub component: | ovn-kubernetes | QA Contact: | Anurag saxena <anusaxen> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | medium | ||
Priority: | medium | CC: | asheth, bbennett, danw, huirwang, ricarril, scuppett |
Version: | 4.2.0 | ||
Target Milestone: | --- | ||
Target Release: | 4.5.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-07-13 17:11:31 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Anurag saxena
2019-10-07 21:07:08 UTC
Oh, I think this is not a bug; we originally had to block hostNetwork access to MCS, but I think MCS now recognizes that the node is already provisioned and so there's no danger in connect to it from an existing node IP. I need to double-check this though... (And if it's correct we should remove the hostNetwork blocking from openshift-sdn too.) I don't think that's true, because the MCS is also exposed via the internal load balancer. Hm... it looks like https://github.com/openshift/machine-config-operator/pull/784 never merged so probably we do still need to block from hostNetwork Verified on 4.5.0-0.nightly-2020-05-24-223848. oc rsh hostnetwork-pod ~ $ curl -I http://10.0.98.83:22623/config/master -k curl: (7) Failed to connect to 10.0.98.83 port 22623: Connection refused ~ $ exit command terminated with exit code 7 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |