Bug 1733114 - Add openflow rule whitelisting DNS port 53 for cloud provider metdata IP
Summary: Add openflow rule whitelisting DNS port 53 for cloud provider metdata IP
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.2.0
Assignee: Alexander Constantinescu
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-25 09:01 UTC by Alexander Constantinescu
Modified: 2019-08-20 15:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-20 15:53:00 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Alexander Constantinescu 2019-07-25 09:01:50 UTC
Description of problem:

Today, as to un-block the GCP team urgently, we had to whitelist the DNS port 53 in SDN. However, for the moment the matching openflow rule has not been defined. 

Version-Release number of selected component (if applicable):

Target version is 4.2.0

How reproducible:

Rule should be defined in "pkg/network/node/ovscontroller.go" in openshift/sdn


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Alexander Constantinescu 2019-08-20 15:53:00 UTC
Hi

After discussion within the team, we've come to the conclusion to not create this ovs rule, complementing the already existing iptables rules. 

The iptables rules already block all tcp/udp connections to 169.254.169.254 on all ports except port 53. Complementary OVS rules are not needed and add additional technical complexity not worth the effort (OVS rules do not support negated conditions, ex: "block all ! port 53"). 

If there are any arguments against this, please re-open the bug and assign to me.

Best regards
Alexander


Note You need to log in before you can comment on or make changes to this bug.