Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2110982

Summary: On GCP, need to check load balancer health check IPs required for restricted installation
Product: OpenShift Container Platform Reporter: Chinmay Deshpande <chdeshpa>
Component: InstallerAssignee: Brent Barbachem <bbarbach>
Installer sub component: openshift-installer QA Contact: Jianli Wei <jiwei>
Status: CLOSED ERRATA Docs Contact: dfitzmau
Severity: medium    
Priority: medium CC: bbarbach, dfitzmau, padillon
Version: 4.10Keywords: Reopened
Target Milestone: ---   
Target Release: 4.13.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, a private {product-name} cluster running on Google Cloud Platform (GCP) would receive additional firewall rules so that GCP could perform health checks for both internal and external load balancers. Private clusters only use internal load balancers, so allowing health checks for external load balancers is unnecessary. With this update, a private cluster that runs on GCP no longer receives these additional firewall rules that stemmed from health checks for external load balancers. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2110982[*BZ#2110982*])
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 22:46:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chinmay Deshpande 2022-07-26 09:25:12 UTC 
Version:

OCP 4.10

Platform:

GCP

Please specify:
IPI

What happened?

Looking at the installer [1] code, It opens up a FW to 4 IPs. 
Two of them are expected according to link [2] however it is not expected to have  the other 2 IPs below to be opened up as they are required for network load balancers and not internal TCP/UDP load balancers

209.85.152.0/22
209.85.204.0/22

Customer's cluster is an internal cluster therefore they are not expecting these IPs to be in the firewall.

[1] https://github.com/openshift/installer/blob/b8e2c497249948adffba128dac0713b521b3ce4a/data/data/gcp/cluster/network/firewall.tf#L27
[2] https://cloud.google.com/load-balancing/docs/health-checks#fw-rule


What did you expect to happen?

It is expected to have only these two IPs 35.191.0.0/16, 130.211.0.0/22 to be open in firewall when doing restricted installation.

How to reproduce it (as minimally and precisely as possible)? N/A

Anything else we need to know?
Comment 1 Patrick Dillon 2022-07-26 17:22:40 UTC 
The team has reviewed this BZ:  35.191.0.0/16, 130.211.0.0/22 are only needed for network load balancers, but including them in the firewall rules is harmless as they cannot route to the internal LB and those IPs are owned by Google. Custom firewall rules can be provided through UPI installs.
Comment 2 Patrick Dillon 2022-07-29 15:27:44 UTC 
There was a mistake in my previous comment: 209.85.152.0/22, 209.85.204.0/22 are the IPs needed for network load balancers.
Comment 3 Patrick Dillon 2022-11-01 13:51:59 UTC 
Reopening this. We should be able to restrict the firewall rules to the minimum requirement. Will investigate and report if there are any unforeseen issues.
Comment 8 Jianli Wei 2023-01-28 02:06:14 UTC 
Mark as verified accorinding to the last 3 comments, thanks!
Comment 11 errata-xmlrpc 2023-05-17 22:46:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:1326