Description of problem: Try to create service without selector and points to the other pod ip or service ip. The creation will succeed. Version-Release number of selected component (if applicable): dev-preview-stg atomic-openshift-3.3.0.32-1.git.0.37bd7ea.el7.x86_64 docker-1.10.3-46.el7.14.x86_64 kernel-3.10.0-327.36.1.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Create a pod and service 2. Create another service without selector and point to the above pod ip or service ip 3. Actual results: 2. The service created successfully. Expected results: Should not allow the service to be created which point to the cluster CIDR or service CIDR Additional info: [root@fedora23 v3]# oc get svc NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE selector-less-service 172.30.25.191 <none> 10086/TCP 4m service-unsecure 172.30.245.226 <none> 27017/TCP 16m test-service 172.30.108.105 <none> 27017/TCP 16m [root@fedora23 v3]# oc get endpoints NAME ENDPOINTS AGE selector-less-service 172.30.245.226:8080 4m service-unsecure 10.1.3.5:8080 17m test-service 10.1.3.11:8080,10.1.3.17:8080 16m
This doesn't feel like a bug to me. You ought to be able to make a headless service and then assign whatever endpoints you want to it. Now... the SDN isolation may not allow you to talk to the remote endpoints, but that's the user's problem. (If you could bypass the isolation by doing this, then that's a real bug).
No, It is a new change in 3.3. Related PR: https://github.com/openshift/origin/pull/9383 cc danw
Oh, the feature is working as expected, but maybe the acceptance criteria in Trello didn't get all the details; you can create such endpoints if you are logged in as a cluster admin user, but if you create an unprivileged account, it won't work: danw@w541:origin (master)> oc login -u foo -p foo Login successful. ... danw@w541:origin (master)> oc new-project foo Now using project "foo" on server "https://172.17.0.2:8443". ... danw@w541:origin (master)> oc create -f test-service.json service "test-service" created danw@w541:origin (master)> oc create -f test-endpoint.json Error from server: error when creating "test-endpoint.json": endpoints "test-service" is forbidden: endpoint address 10.129.0.2 is not allowed
@danw This feature is working well in the OCP env. But the bug is reported against the dev-preview-stg env. I am not sure what is the difference between the setup of the two. But I can use a normal user to create service with points to the IP in service CIDR or pod CIDR.
I don't know what happened on dev-preview-stg env. But the issue cannot be reproduced after the latest upgrade to 3.3.0.33. [root@fedora23 v3]# oc create -f external_service_to_external_pod.json service "selector-less-service" created Error from server: endpoints "selector-less-service" is forbidden: endpoint address 10.1.8.20 is not allowed I will close this bug.