Bug 1759182 - [4.1 backport] No RBAC method for setting ExternalIPs
Summary: [4.1 backport] No RBAC method for setting ExternalIPs
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.z
Assignee: Aniket Bhat
QA Contact: Weibin Liang
Depends On: 1759181
Blocks: 1751840
TreeView+ depends on / blocked
Reported: 2019-10-07 14:41 UTC by Casey Callendrello
Modified: 2020-03-26 14:07 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1752045
Last Closed: 2020-03-26 14:07:09 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 714 None closed Bug 1759182: Block all externalIPs by default 2020-03-26 14:07:20 UTC
Github openshift origin pull 23826 'None' closed Bug 1759182: Add a RBAC checker for external IP ranger 2020-03-25 21:38:37 UTC
Github openshift origin pull 24390 None open Bug 1793205: Fix typo in type registration for externalipranger. 2020-03-26 14:07:20 UTC

Comment 2 Weibin Liang 2019-12-17 14:51:18 UTC
@anbhat @ccallend

In v4.1, we do not support externalIP: policy: {},  
here is the log from "oc edit networks.config.openshift.io cluster" in both v4.1 and v4.3, 

  - cidr:
    hostPrefix: 23
  networkType: OpenShiftSDN

#### v4.3 support externalIP: policy: {}
  - cidr:
    hostPrefix: 23
  externalIP:                    >>>>>>>>>>>>>> v4.1 do not have this
    policy: {}                   >>>>>>>>>>>>>>
  networkType: OpenShiftSDN

Look like I can not verify this bug in v4.1

Comment 3 zhaozhanqi 2019-12-18 09:01:09 UTC

Check the CRD of 4.1, it did not supported the externalIP yet.

# oc get crd networks.config.openshift.io -o yaml | grep -i external

for 4.2 and after version

# oc get crd networks.config.openshift.io -o yaml | grep -i external -A 10
                description: externalIP defines configuration for controllers that
                  affect Service.ExternalIP. If nil, then ExternalIP is not allowed
                  to be set.
                    description: autoAssignCIDRs is a list of CIDRs from which to
                      automatically assign Service.ExternalIP. These are assigned
                      when the service is of type LoadBalancer. In general, this is
                      only useful for bare-metal clusters. In Openshift 3.x, this
                      was misleadingly called "IngressIPs". Automatically assigned
                      External IPs are not affected by any ExternalIPPolicy rules.
                      Currently, only one entry may be provided.
                      type: string
                    type: array
                    description: policy is a set of restrictions applied to the ExternalIP
                      field. If nil or empty, then ExternalIP is not allowed to be
                        description: allowedCIDRs is the list of allowed CIDRs.
                          type: string
                        type: array
                        description: rejectedCIDRs is the list of disallowed CIDRs.
                          These take precedence over allowedCIDRs.

Comment 8 Weibin Liang 2019-12-19 15:41:29 UTC

You are right, I still see https://bugzilla.redhat.com/show_bug.cgi?id=1751840 in latest v4.1 code.

Wait the new PR for https://bugzilla.redhat.com/show_bug.cgi?id=1751840, then QE can verify this bug.

Comment 11 Dan Winship 2020-01-08 19:41:51 UTC
bug 1758140 and this one are essentially the same bug.

If a normal user can create a service with an ExternalIP in a build of 4.1 that includes origin #23826, then that means this bug has FailedQE

Comment 12 Weibin Liang 2020-01-08 21:44:01 UTC
Verifying failed in 4.1.0-0.nightly-2020-01-06-225053

[root@dhcp-41-193 FILE]# oc login -u testuser-0 -p gPb_u0NtGup-
Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

[root@dhcp-41-193 FILE]# oc new-project test
Now using project "test" on server "https://api.qe-weliang-aws41.qe.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app django-psql-example

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node

[root@dhcp-41-193 FILE]# oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/Features/PublishingServices/external-ip.yaml
service/hello-service1 created
pod/hello-pod-1 created
[root@dhcp-41-193 FILE]# oc get svc
NAME             TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)     AGE
hello-service1   ClusterIP   27018/TCP   4s
[root@dhcp-41-193 FILE]#

Comment 18 Scott Dodson 2020-03-26 14:07:09 UTC
4.1 EOL is imminent and it does not make sense to fix this at this point in the lifecycle.

Note You need to log in before you can comment on or make changes to this bug.