Bug 1988324

Summary: OVN-Kubernetes EgressFirewall block API server , every egress firewall must allow essential accesses like the API endpoints
Product: OpenShift Container Platform Reporter: Immanuvel <imm>
Component: DocumentationAssignee: Jason Boxman <jboxman>
Status: CLOSED NOTABUG QA Contact: huirwang
Severity: high Docs Contact: Vikram Goyal <vigoyal>
Priority: high    
Version: 4.7CC: aconstan, aos-bugs, chezhang, jboxman, jokerman, jtanenba, mifiedle, mmarkand, palonsor
Target Milestone: ---Keywords: Improvement, Question, Reopened, UserExperience
Target Release: ---Flags: huirwang: needinfo? (jtanenba)
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-24 12:22:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Immanuvel 2021-07-30 10:21:42 UTC
Document URL: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/networking/ovn-kubernetes-default-cni-network-provider

Section Number and Name: 
14.2.2. Migrating to the OVN-Kubernetes default CNI network provider


Describe the issue: 

Customer followed the instructions to switch the SDN on our OpenShift 4.7 cluster to OVN-Kubernetes. Everything went fine until he converted  his EgressNetworkPolicy objects to EgressFirewall and then some components started failing to speak to the API server (including builds hanging).

1. On both customer old AWS cluster (4.7) that he converted to OVN-Kubernetes and a brand new AWS cluster (4.7) when he created EgressFirewall objects with a whitelist of allowed IPs access to the API server is blocked from pods in that projects. This is different to be behaviour of EgressNetworkPolicy, where access to the API server was implicitly granted. With EgressFirewall he need to manually add the IP addresses of the API servers, which is not documented and possibly fragile as they may change in the future.

2. This is quite difficult for him to do as the cluster is disconnected, but can supply a smaller amount of output.

3. EgressNetworkPolicy always allowed access to the API server. EgressFirewall doesn't. Therefore the two are not compatible. At the very least there needs to be a warning in the documentation.

Pablo Alonso Rodriguez also did some test in the cluster  but the connection to the API fails , so confirmed the issue is there even for us 

Suggestions for improvement: Needs some good explanation and describes about the compatibility , at least we need to  have some warning  message in the documentation 

Additional information:

Comment 4 Jason Boxman 2021-08-06 20:21:30 UTC
I've created a PR[0] to include this in the product documentation. Did I suggest the correct IP ranges? Does a user need to interrogate their cluster for their own specific IP address ranges for this? Thanks!

[0] https://github.com/openshift/openshift-docs/pull/35311

Comment 7 Immanuvel 2021-08-16 08:37:24 UTC
Hi Team,

Do we have  any concrete update on this please ?  so that i can  update  to the customer for the same 

The Doc needs to be updated but we also have  bug for OVN egressfirewall, as Huiran Wang mentioned API service IP should not be blocked by egressfirewall 

Thanks in Advance for your help

Regards
IMMANUVEL M

Comment 10 Mridul Markandey 2021-11-23 17:49:44 UTC
Hello Team,

I have a customer who has tried to implement the EgressNetworkPolicy in their OVN cluster by referring to the official documentation[1]. As per the workaround suggested in this Bugzilla, we have to manually add the IP address range that the API servers listen on in the egress firewall rules. But this is only a workaround and not a fix for the issue for which this Bugzilla was raised. A proper resolution of the Bugzilla could be a "solution of errata" so that in the upcoming versions, the customers don't have to manually do this task of adding IP address ranges. So, can you please let me know what is the present status of the Bugzilla? Are we still working on this issue? Any expected timeline, when this issue will be resolved? 

[1] https://docs.openshift.com/container-platform/4.8/networking/openshift_sdn/configuring-egress-firewall.html#nw-egressnetworkpolicy-about_openshift-sdn-egress-firewall

Let me know if you need any further data from the customer's environment? 

Regards,
Mridul Markandey

Comment 11 Jason Boxman 2021-11-24 00:30:26 UTC
Hi,

So it looks like the actual software fix for this is tracked in a separate BZ[0]. This BZ is related specifically to the documentation update, which is complete.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1993841

Comment 12 Mridul Markandey 2021-11-24 12:22:33 UTC
Hi Team,

@Jason, Thank you for your proactive response and for sharing the correct link. As this BZ is related to the documentation update, which was completed, you can close this BZ.

Appreciate your kind efforts.

Regards,
Mridul Markandey