Bug 1963079

Summary: KCM/KS: ability to enforce localhost communication with the API server.
Product: OpenShift Container Platform Reporter: Lukasz Szaszkiewicz <lszaszki>
Component: kube-controller-managerAssignee: Lukasz Szaszkiewicz <lszaszki>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: high Docs Contact:
Priority: high    
Version: 4.8CC: aos-bugs, mfojtik
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:09:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukasz Szaszkiewicz 2021-05-21 11:41:43 UTC
For the past months, we have been involved in many escalations that showed a misconfigured load balancer can cause a significant outages. One quick way of ruling a malfunctioning LB is to switch affected components to use localhost to communicate with Kube API.

We are going to use this BZ to merge a few PRs for KCM and KC to allow that. Once they merge the support engineers will have an easy way of enforcing localhost communication.

Comment 2 zhou ying 2021-06-01 10:56:18 UTC
Check for the KCM,  :
[root@localhost ~]# oc get kubecontrollermanager cluster -o yaml 
apiVersion: operator.openshift.io/v1
kind: KubeControllerManager
...
spec:
  logLevel: TraceAll
...
  unsupportedConfigOverrides:
    extendedArguments:
      master:
      - https://api-int.yinzhou601.qe.devcluster.openshift.com:1234
      unsupported-kube-api-over-localhost:
      - "true"

when setting with invalid api, still works well. 

Check for the KS:
[root@localhost ~]# oc get kubescheduler cluster -o yaml 
apiVersion: operator.openshift.io/v1
kind: KubeScheduler
....
spec:
  logLevel: TraceAll
...
  unsupportedConfigOverrides:
    arguments:
      master:
      - https://api-int.yinzhou601.qe.devcluster.openshift.com:1234/
      unsupported-kube-api-over-localhost:
      - "true"

when setting with invalid api, ks still works well.

Comment 5 errata-xmlrpc 2021-07-27 23:09:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438