+++ This bug was initially created as a clone of Bug #1759965 +++ Description of problem: Based on https://cloud.google.com/load-balancing/docs/health-checks#fw-rule the ranges that should be allowed are `"35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"` But gcp firewall rule only allows `"35.191.0.0/16", "130.211.0.0/22"` This causes health checks to api server fail when the source IPs is from `"209.85.152.0/22" or "209.85.204.0/22"`` Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. create cluster on GCP 2. Look at the firewall rule for the health checks Actual results: Health checks fail due to firewall rules. Expected results: Correct ranges are allowed Additional info:
Without this the load balancer will be denied access to the apiservers and will incorrectly remove members. We don't have a good method to measure how often we've been seeing this in CI, we may have just been getting lucky and only ending up with NLBs in the 1 of 3 ranges that are currently included which were correct.
4.2 PR: https://github.com/openshift/installer/commit/f0e25273cf9512b4aa99c26acdd153007d046e2d Verified this bug with 4.2.0-0.nightly-2019-10-09-203306, and PASS. Installation is completed successfully. Check source IP range in jialiu-w65g6-master-in-from-health-checks: Source filters IP ranges 209.85.204.0/22 209.85.152.0/22 35.191.0.0/16
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922