Bug 1918442

Summary: Service Reject ACL does not work on dualstack
Product: OpenShift Container Platform Reporter: Antonio Ojea <aojeagar>
Component: NetworkingAssignee: Antonio Ojea <aojeagar>
Networking sub component: ovn-kubernetes QA Contact: Anurag saxena <anusaxen>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: high CC: dcbw, mcurry, trozet, zzhao
Version: 4.7   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: OVN Idling feature take precedence over reject ACLs. Consequence: Kubernetes Services without endpoints didn't reject connections. Fix: Don't create OVN loadbalancers for newly created Services without endpoints. Result: A service without endpoint rejects packets.
 Story Points: ---
Clone Of:
: 1929225 (view as bug list) Environment:
Last Closed: 2021-07-27 22:36:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1883957, 1918422    
Bug Blocks:    

Description Antonio Ojea 2021-01-20 17:58:05 UTC 
Description of problem:

Kubernetes defines that Services without endpoints should be rejected, in order to implement that, OVN-Kubernetes create ACLs for those services to reject the traffic.

Openshift has a feature for applications, that allows idling the applications, it basically find the scalable resources (deployments, ...) and scales them down to 0. However, once traffic target the service is received, OVN-Kubernetes throws an event to notify the corresponding controller and unidle the application-

As a consequence of Bug 1918422, "empty-lb-events does not take effect for existing load-balancers", both options are mutually exclusive, so services in a cluster without endpoints only will be able to reject or to be idled, but not both.



Steps to Reproduce:
1. Create a Kubernetes cluster with and without the option
  --ovn-empty-lb-events
2. Create a service without endpoints
  kubectl create service clusterip noendpoints --tcp 80
3. Try to connect to the service
  curl noendpoints:80

The cluster with ovn-empty-lb-events set will create an event but never will reject services without endpoints

The cluster without the ovn-empty-lb-events set will reject the services without endpoints but will never create the unidling event
Comment 2 Tim Rozet 2021-01-20 20:45:55 UTC 
Basically the impact of this bug is that oc idle will not work with ovn-kubernetes on single stack clusters.
Comment 8 Antonio Ojea 2021-04-21 15:09:24 UTC 
*** Bug 1922159 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2021-07-27 22:36:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438