Bug 1879445
| Summary: | SameSite hardening breaks sticky load balancing | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Robert Heinzmann <rheinzma> | |
| Component: | Networking | Assignee: | Miheer Salunke <misalunk> | |
| Networking sub component: | router | QA Contact: | Arvind iyengar <aiyengar> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | urgent | |||
| Priority: | urgent | CC: | aiyengar, amcdermo, annelson, aos-bugs, fmarting, gferrazs, hchatter, hongli, kyankovi, mfisher, misalunk, mmasters, openshift-bugs-escalate, ppostler, rlichti, rsandu, sahan, shsaxena, srelf | |
| Version: | 3.11.0 | Flags: | misalunk:
needinfo-
hongli: needinfo- misalunk: needinfo- misalunk: needinfo- |
|
| Target Milestone: | --- | |||
| Target Release: | 3.11.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1881997 (view as bug list) | Environment: | ||
| Last Closed: | 2020-11-18 14:09:55 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1889868, 1892775, 1893657 | |||
| Bug Blocks: | 1881997 | |||
|
Comment 7
Roland Lichti
2020-09-21 09:30:29 UTC
Target set to next release version while investigation is either ongoing or pending. Will be considered for earlier release versions when diagnosed and resolved. A new openshift release is currently in progress and once that completes we can then push the changes for the newer haproxy-1.8.26 so that the RPM can be built and tagged. I expect that to occur today/tomorrow. Once that's in place we will resolve any CI issues in the associated change https://github.com/openshift/origin/pull/25542. Verified with v3.11.318 and passed # oc version oc v3.11.318 kubernetes v1.11.0+d4cacc0 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://hongli-311master-etcd-1:8443 openshift v3.11.318 kubernetes v1.11.0+d4cacc0 sh-4.2$ haproxy -v HA-Proxy version 1.8.26 2020/08/03 Copyright 2000-2020 Willy Tarreau <willy> sh-4.2$ rpm -qa | grep haproxy haproxy18-1.8.26-1.el7.x86_64 # default SameSite=None # curl https://edgeroute-hongli1.apps.1113-9m7.qe.rhcloud.com -v <---snip---> < Set-Cookie: a54306d9cf69be3311d72fb44eda92c6=0498e21abad7529161431eec7d46b162; path=/; HttpOnly; Secure; SameSite=None # oc annotate route edgeroute router.openshift.io/cookie-same-site=Lax # curl https://edgeroute-hongli1.apps.1113-9m7.qe.rhcloud.com -v <---snip---> < Set-Cookie: a54306d9cf69be3311d72fb44eda92c6=0498e21abad7529161431eec7d46b162; path=/; HttpOnly; Secure; SameSite=Lax # oc annotate route edgeroute router.openshift.io/cookie-same-site=Strict --overwrite # curl https://edgeroute-hongli1.apps.1113-9m7.qe.rhcloud.com -v <---snip---> < Set-Cookie: a54306d9cf69be3311d72fb44eda92c6=0498e21abad7529161431eec7d46b162; path=/; HttpOnly; Secure; SameSite=Strict And a regression test is running now, will move this to Verified if no issue found during regression. no issue found during the regression test, moving to VERIFIED. Thanks @hongli ! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 3.11.318 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5107 |