Bug 1752371 - [kuryr]etcd traffic from service subnet to master nodes blocked
Summary: [kuryr]etcd traffic from service subnet to master nodes blocked
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.2.0
Assignee: Maysa Macedo
QA Contact: Jon Uriarte
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-16 08:12 UTC by Maysa Macedo
Modified: 2019-10-16 06:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-16 06:41:11 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 315 0 None None None 2019-09-16 08:33:04 UTC
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:41:23 UTC

Description Maysa Macedo 2019-09-16 08:12:15 UTC 
Description of problem:

With a recent change on the installer that tightens the security group of the master nodes, the API server pods were failing due to:

"Unable to create storage backend: config (&{etcd3 openshift.io {[https://etcd.openshift-etcd.svc:2379] /var/run/secrets/etcd-client/tls.key /var/run/secrets/etcd-client/tls.crt /var/run/configmaps/etcd-serving-ca/ca-bundle.crt} false true {0xc000eaddd0 0xc000eade60} {{apps.openshift.io v1} [{apps.openshift.io } {apps.openshift.io }] false} <nil> 5m0s 1m0s}), err (context deadline exceeded)"

As we created a lbaas for each SVC, and consequently an amphora VM, the traffic from the SVC subnet to master should be allowed on the etcd ports (2379-2380).


Version-Release number of selected component (if applicable):


How reproducible: Always with 4.2.0-0.nightly-2019-09-13.


Steps to Reproduce:
1. Enable Kuryr on the install-config
2. 
3.

Actual results: Installation timeout

Expected results: Installation finished successfully  


Additional info:
Comment 2 Jon Uriarte 2019-10-04 15:42:18 UTC 
Verified on 4.2.0-0.nightly-2019-10-02-150642 on top of OSP 13 2019-10-01.1 puddle.

The sg added to masters allows connections to etcd:

$ openstack security group rule list | grep 2379
| bd4d22cf-6289-4f1e-b5a4-d5c4ed765051 | tcp         | None          | 2379:2380   | 7b03d9b9-8d98-4937-afda-c4180a9390cf | 7b03d9b9-8d98-4937-afda-c4180a9390cf |
| c1c35b66-97c8-4c38-8269-311e2b6bbed3 | tcp         | None          | 2379:2379   | None                                 | e025e4d9-7c89-4c4f-be36-1c64f4dac936 |
| ee354b3d-80ed-4cb3-bf37-0b133ec57467 | tcp         | 172.30.0.0/15 | 2379:2380   | None                                 | 7b03d9b9-8d98-4937-afda-c4180a9390cf |

$ openstack security group show 7b03d9b9-8d98-4937-afda-c4180a9390cf
+-----------------+-----------------
| Field           | Value
+-----------------+-----------------
| name            | ostest-mp284-master                                                                                                                                                                            
| rules           |
...
                   created_at='2019-10-03T11:53:23Z', direction='ingress', ethertype='IPv4', id='ee354b3d-80ed-4cb3-bf37-0b133ec57467', port_range_max='2380',
                   port_range_min='2379', protocol='tcp', remote_ip_prefix='172.30.0.0/15', updated_at='2019-10-03T11:53:23Z'
...
Comment 3 errata-xmlrpc 2019-10-16 06:41:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922
Note You need to log in before you can comment on or make changes to this bug.