Bug 1989423
| Summary: | Enable back `[sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it` | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Maciej Szulik <maszulik> |
| Component: | Networking | Assignee: | jamo luhrsen <jluhrsen> |
| Networking sub component: | openshift-sdn | QA Contact: | Ying Wang <yingwang> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | unspecified | CC: | astoycos, bperkins, danw, jluhrsen, yingwang, zzhao |
| Version: | 4.9 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-18 17:44:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1996160 | ||
| Bug Blocks: | |||
|
Description
Maciej Szulik
2021-08-03 08:11:21 UTC
(In reply to Maciej Szulik from comment #0) > It looks like endpoints write access was removed in > https://github.com/kubernetes/kubernetes/pull/103704 to partially prevent > https://github.com/kubernetes/kubernetes/issues/103675 we need to figure out > how we want to handle this one. OCP should not be vulnerable to that CVE anyway because of the RestrictedEndpointsController cluster-kube-apiserver-operator observes the cluster configuration to mark all pod and service CIDRs as restricted: https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/pkg/operator/configobservation/network/observe_network.go#L53 and then kube-apiserver rejects Endpoints creation/modification by non-cluster-admin users if the Endpoints points to a restricted IP. Of course, we need to be doing that for EndpointSlice now too... *** Bug 1995505 has been marked as a duplicate of this bug. *** *** Bug 1995505 has been marked as a duplicate of this bug. *** Sorry, I screwed up the bug tracking on this and there ended up being no bug for "re-enable Endpoints permissions". But that's re-enabled now (https://github.com/openshift/kubernetes/pull/908), so this bug should be able to move forward. Verified this bug by checking https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.9-e2e-aws/1433153705493925888 Checked on version 4.9.0-0.nightly-2021-09-01-193941, created a service and idled it. After sent traffic to this service, it can be unidled.
% oc get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
test-service ClusterIP 172.30.200.28 <none> 27017/TCP 9m49s
% oc get pods
NAME READY STATUS RESTARTS AGE
hello-pod 1/1 Running 0 9m53s
test-rc-9nvv9 1/1 Running 0 5m59s
test-rc-cjdmz 1/1 Running 0 5m59s
% oc idle test-service
WARNING: idling when network policies are in place may cause connections to bypass network policy entirely
The service "yckg4/test-service" has been marked as idled
The service will unidle ReplicationController "yckg4/test-rc" to 2 replicas once it receives traffic
ReplicationController "yckg4/test-rc" has been idled
% oc get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
test-service ClusterIP 172.30.200.28 <none> 27017/TCP 10m
% oc describe service
Name: test-service
Namespace: yckg4
Labels: name=test-service
Annotations: idling.alpha.openshift.io/idled-at: 2021-09-02T11:08:28Z
idling.alpha.openshift.io/unidle-targets: [{"kind":"ReplicationController","name":"test-rc","replicas":2}]
Selector: name=test-pods
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 172.30.200.28
IPs: 172.30.200.28
Port: http 27017/TCP
TargetPort: 8080/TCP
Endpoints: <none>
Session Affinity: None
Events: <none>
% oc get pods
NAME READY STATUS RESTARTS AGE
hello-pod 1/1 Running 0 10m
% oc exec hello-pod -i -- /usr/bin/curl --connect-timeout 30 172.30.200.28:27017
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0Hello OpenShift!
100 17 100 17 0 0 6 0 0:00:02 0:00:02 --:--:-- 6
% oc get pods
NAME READY STATUS RESTARTS AGE
hello-pod 1/1 Running 0 11m
test-rc-bcj8r 1/1 Running 0 6s
test-rc-zmr2s 1/1 Running 0 6s
% oc get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
test-service ClusterIP 172.30.200.28 <none> 27017/TCP 11m
% oc describe service
Name: test-service
Namespace: yckg4
Labels: name=test-service
Annotations: <none>
Selector: name=test-pods
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 172.30.200.28
IPs: 172.30.200.28
Port: http 27017/TCP
TargetPort: 8080/TCP
Endpoints: 10.128.2.80:8080,10.131.0.46:8080
Session Affinity: None
Events: <none>
% oc version
Client Version: 4.9.0-0.nightly-2021-08-18-144658
Server Version: 4.9.0-0.nightly-2021-09-01-193941
Kubernetes Version: v1.22.0-rc.0+bbcc9ae
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |