Bug 1952460
| Summary: | In k8s 1.21 bump '[sig-network] Firewall rule control plane should not expose well-known ports' test is disabled | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Maciej Szulik <maszulik> |
| Component: | Networking | Assignee: | Ben Pickard <bpickard> |
| Networking sub component: | openshift-sdn | QA Contact: | zhaozhanqi <zzhao> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | unspecified | CC: | aconstan, bbennett, dcbw, surya |
| Version: | 4.8 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-27 23:02:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Maciej Szulik
2021-04-22 10:19:15 UTC
fwiw, the test is doing this:
ginkgo.It("control plane should not expose well-known ports", func() {
nodes, err := e2enode.GetReadySchedulableNodes(cs)
framework.ExpectNoError(err)
ginkgo.By("Checking well known ports on master and nodes are not exposed externally")
nodeAddr := e2enode.FirstAddress(nodes, v1.NodeExternalIP)
if nodeAddr == "" {
framework.Failf("did not find any node addresses")
}
controlPlaneAddresses := framework.GetControlPlaneAddresses(cs)
for _, instanceAddress := range controlPlaneAddresses {
assertNotReachableHTTPTimeout(instanceAddress, "/healthz", ports.KubeControllerManagerPort, firewallTestTCPTimeout, true)
assertNotReachableHTTPTimeout(instanceAddress, "/healthz", kubeschedulerconfig.DefaultKubeSchedulerPort, firewallTestTCPTimeout, true)
}
assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletPort, firewallTestTCPTimeout, false)
assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletReadOnlyPort, firewallTestTCPTimeout, false)
assertNotReachableHTTPTimeout(nodeAddr, "/", ports.ProxyStatusPort, firewallTestTCPTimeout, false)
})
But the actual failure is: fail [github.com/onsi/ginkgo.0-origin.0+incompatible/internal/leafnodes/runner.go:113]: Apr 21 12:03:52.111: did not find any node addresses So... in GCP do our CI cluster nodes have external IPs? nodeAddr := e2enode.FirstAddress(nodes, v1.NodeExternalIP) And the answer is that no! they don't...
"addresses": [
{
"address": "10.0.0.5",
"type": "InternalIP"
},
{
"address": "ci-op-m9kcz5zp-2a78c-lnf69-master-2.c.openshift-gce-devel-ci.internal",
"type": "InternalDNS"
},
{
"address": "ci-op-m9kcz5zp-2a78c-lnf69-master-2.c.openshift-gce-devel-ci.internal",
"type": "Hostname"
}
],
So that's why it fails. I'll leave it to somebody else on the team to figure out whether the upstream test is wrong or what. Okay so the fix is already merged upstream. We need to backport it down to origin. move to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |