Bug 1909791

Summary: Update standalone kube-proxy config for EndpointSlice
Product: OpenShift Container Platform Reporter: Dan Winship <danw>
Component: NetworkingAssignee: Dan Winship <danw>
Networking sub component: openshift-sdn QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high    
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:47:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dan Winship 2020-12-21 16:20:11 UTC
In 1.20 kube-proxy now expects to use EndpointSlice rather than Endpoints by default, so we need to update the RBAC config for standalone kube-proxy to have permission to read that.

(Or alternatively we could update the config to force it to not use EndpointSlice, but we don't want to do that.)

Comment 3 zhaozhanqi 2021-01-05 04:09:43 UTC
Verified this bug on 4.7.0-0.nightly-2021-01-04-215816

Comment 4 Dan Winship 2021-01-05 12:13:35 UTC
doh, this was implemented wrong

Comment 5 Dan Winship 2021-01-05 12:19:57 UTC
@zhaoazhanqi does QE test Calico or any other other third-party network plugins at all? For the moment, that's the only reliable way of testing that this fix really works. (It has no effect when using openshift-sdn, ovn-kubernetes, or kuryr.)

(I'll test it better myself this time before it merges though...)

Making this blocker+ since it completely breaks most third-party network plugins.

Comment 6 Dan Winship 2021-01-05 13:21:30 UTC
OK, so actually it looks like this was the last piece needed to get hacked-openshift-sdn-with-standalone-kube-proxy to work. So, you could test by doing "openshift-install create manifests", and then adding this to the manifests/ dir before doing "create cluster":

---

apiVersion: operator.openshift.io/v1
kind: Network
metadata:
  name: cluster
spec:
  defaultNetwork:
    type: OpenShiftSDN
    openshiftSDNConfig:
      mode: NetworkPolicy
      enableUnidling: false
  deployKubeProxy: true

---

Then you can confirm that the cluster comes up with a standalone kube-proxy (pods in -n openshift-kube-proxy), and everything still works.

Comment 8 zhaozhanqi 2021-01-06 08:31:46 UTC
Thanks Dan. I should misunderstanding this bug.  

I try to setup the Calico cluster this time with 4.7.0-0.nightly-2021-01-06-012750, it works well

[root@preserve-zzhao calico]# oc get network -o yaml | grep -i networktype:
          f:networkType: {}
          f:networkType: {}
          f:networkType: {}
    networkType: Calico
    networkType: Calico

[root@preserve-zzhao calico]# oc get pod -n openshift-kube-proxy
NAME                         READY   STATUS    RESTARTS   AGE
openshift-kube-proxy-4dhvp   2/2     Running   0          76m
openshift-kube-proxy-f8v7m   2/2     Running   0          64m
openshift-kube-proxy-h7bvm   2/2     Running   0          65m
openshift-kube-proxy-jz7cz   2/2     Running   0          76m
openshift-kube-proxy-pczgz   2/2     Running   0          76m
openshift-kube-proxy-tl6wf   2/2     Running   0          65m

Move this bug to Verified.

Comment 10 errata-xmlrpc 2021-02-24 15:47:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633