1392862 – [networking_public_222] Should not be able to create the route when the host is not specified and wildcardpolicy enabled

Bug 1392862 - [networking_public_222] Should not be able to create the route when the host is not specified and wildcardpolicy enabled

Summary: [networking_public_222] Should not be able to create the route when the host ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Ram Ranganathan
QA Contact:	Meng Bo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-08 11:44 UTC by Meng Bo
Modified:	2022-08-04 22:20 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2017-01-18 12:50:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Origin (Github)	11863	None	None	None	2016-11-10 15:08:59 UTC
Origin (Github)	11924	None	None	None	2016-11-15 21:22:08 UTC
Red Hat Product Errata	RHBA-2017:0066	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.4 RPM Release Advisory	2017-01-18 17:23:26 UTC

Description Meng Bo 2016-11-08 11:44:24 UTC

Description of problem:
When trying to create route with wildcardPolicy enabled with the host which the subdomain is being used by a non-wildcard route. The wildcard route will be marked as HostAlreadyClaimed and cannot work.

Version-Release number of selected component (if applicable):
openshift v3.4.0.23+24b1a58
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0
ose-haproxy-router v3.4.0.23 40c9b18e47df

How reproducible:
always

Steps to Reproduce:
1. Setup env and make the router all the wildcard routes

2. Create pod/svc in project1
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json

3. Create route for the svc above with host eg. non-wild.wildcard.com and wildcardPolicy set to "None"

4. Create pod/svc in another project project2
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker-2.json
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json

5. Create route for the svc in project2 with host eg. www.wildcard.com and wildcardPolicy set to "Subdomain"

6. Check the route created in project2

Actual results:
$ oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION
route HostAlreadyClaimed service-unsecure <all>

Expected results:
The wildcard route should be to create since the wanted wildcard subdomain was not used by any wildcard route.

Additional info:
The reasonable behaviour should look like:
RouteA:
host aaa.test.com
wildcardPolicy None
point to backend php1

RouteB:
host www.test.com
wildcardPolicy Subdomain
point to backend php2

When accessing the route with *.test.com except aaa.test.com, should return the result in php2, when accessing the route aaa.test.com, should return the result in php1.

Comment 1 Ben Bennett 2016-11-08 13:54:10 UTC

No, the behavior is correct.  The claims are exclusive.

If a.foo.com is present, *.foo.com can not be claimed.

If *.foo.com is present, then a.foo.com can not be claimed.

Comment 2 Meng Bo 2016-11-09 06:56:44 UTC

The problem here is,
If an user created a route with wildcardpolicy enabled but no host specified. Then it will use the generated route with content <route_name>-<namespace_name>-<router-subdomain-suffix>.

And after that any route created in this env without host specified will be failed since the configured subdomain has been used by the first route.

$ oc get route -n u1p1
NAME         HOST/PORT                                          PATH      SERVICES           PORT      TERMINATION
test-route   test-route-u1p1.router.default.svc.cluster.local             service-unsecure   <all>     

$ oc get route -n u1p2
NAME               HOST/PORT            PATH      SERVICES           PORT      TERMINATION
service-unsecure   HostAlreadyClaimed             service-unsecure   http      

$ oc describe route -n u1p2
Name:                   service-unsecure
Namespace:              u1p2
Created:                5 minutes ago
Labels:                 name=service-unsecure
Annotations:            openshift.io/host.generated=true
Requested Host:         service-unsecure-u1p2.router.default.svc.cluster.local
                          rejected by router router: HostAlreadyClaimed (5 minutes ago)
                            a route in another namespace holds host service-unsecure-u1p2.router.default.svc.cluster.local
Path:                   <none>
TLS Termination:        <none>
Insecure Policy:        <none>
Endpoint Port:          http

Service:        service-unsecure
Weight:         100 (100%)
Endpoints:      10.128.0.40:8080


We should find a way to avoid that the pre-defined subdomain being seized by any user.

Comment 3 Ben Bennett 2016-11-09 14:09:02 UTC

Ah, I see.  This is probably just a documentation problem then.

Ram, I think we need to document this case, and the ways to control it.

- Using the --allowed-domains and --denied-domains to restrict it
- Restrict setting the wildcard field with the Role's attributeRestriction field

Comment 4 Ben Bennett 2016-11-09 14:55:27 UTC

Or should we forbid the user to set wildcards when the router is forcing a template?  Or if they claim a name that matches the template?

Comment 5 Meng Bo 2016-11-09 14:58:30 UTC

If we use --denied-domains to forbid the router provided subdomain to be created for wildcard route. All the routes with generated host will be affected.

Comment 6 Ram Ranganathan 2016-11-10 00:19:57 UTC

yeah, if its the generated host name - the recommendations would be to use 
--denied-domains  containing that domain.

@bmeng, this will still allow generated names to work even if the domain is denied - that check is done on admission and the generation is done post admission (depending on the router policy - override host names + use the template for generating host names).

I think the fix here though should be to just not allow wildcards to be set if the host name is empty. I'll fix the validation code.

Comment 7 Ram Ranganathan 2016-11-10 01:03:40 UTC

Fix in PR: https://github.com/openshift/origin/pull/11863


One thing though - if you have a router configured to override the host name and use a template, then you should also not allow wildcard hosts (set the router's policy to not allow wildcards). Will add this along w/ the other bits to the documentation tomorrow.

Comment 8 Troy Dawson 2016-11-11 19:51:18 UTC

This has been merged into ocp and is in OCP v3.4.0.25 or newer.

Comment 10 Meng Bo 2016-11-14 09:01:07 UTC

Checked on openshift v3.4.0.25 and haproxy-router image d081816be024

The problem still can be reproduced.

# cat route2.json 
{
        "kind": "Route",
        "apiVersion": "v1",
        "metadata": {
                "name": "route"
        },
        "spec": {
                "wildcardPolicy": "Subdomain",
                "to": {
                        "kind": "Service",
                        "name": "service-unsecure"
                }
        }
}
# oc create -f route2.json
route "route" created
# oc get route
NAME      HOST/PORT                               PATH      SERVICES           PORT      TERMINATION
route     route-bmengp1.1114-fx3.qe.rhcloud.com             service-unsecure   <all>
# curl test.1114-fx3.qe.rhcloud.com
Hello-OpenShift-1 http-8080

Comment 11 Ram Ranganathan 2016-11-15 19:43:11 UTC

@bmeng, looks like you are using a hostname-template or override-hostname set? Correct? 
In that case, the recommendation would be to also set ROUTER_ALLOW_WILDCARD_ROUTES to false. 

But that said, there was a check on the api server to reject the route with no host and wildcard policy set to subdomain.
See: https://github.com/openshift/origin/blob/master/pkg/route/api/validation/validation.go#L336

Did you rebuild/use a newer version of the api server as well? Let me recheck as well. Thx

Comment 12 Ram Ranganathan 2016-11-15 20:55:35 UTC

Ok - I can see where the error was - it works for unspecified hosts but fails
for generated host names. 
Fix is in PR: https://github.com/openshift/origin/pull/11924

Comment 13 openshift-github-bot 2016-11-16 14:04:18 UTC

Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/dcfe5740e9e87ae22af303185ee344169d037bf0
We should not be able to create a route when the host is not specified
and wildcardpolicy is enabled.
Fixes bug 1392862 - https://bugzilla.redhat.com/show_bug.cgi?id=1392862
Rework as per @liggitt review comments.
Fix govet issue.

Comment 14 Meng Bo 2016-11-17 09:03:16 UTC

Issue has been fixed in OCP v3.4.0.27

# oc create -f route2.json
The Route "route" is invalid: spec.wildcardPolicy: Invalid value: "Subdomain": host name not specified for wildcard policy

Comment 15 Meng Bo 2016-11-18 01:55:03 UTC

Move to verified according to Comment#14

Comment 17 errata-xmlrpc 2017-01-18 12:50:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066

Note You need to log in before you can comment on or make changes to this bug.