The same change is also need synced to UPI template. https://github.com/openshift/installer/blob/master/upi/gcp/03_security.py#L40 +++ This bug was initially created as a clone of Bug #1759966 +++ +++ This bug was initially created as a clone of Bug #1759965 +++ Description of problem: Based on https://cloud.google.com/load-balancing/docs/health-checks#fw-rule the ranges that should be allowed are `"35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"` But gcp firewall rule only allows `"35.191.0.0/16", "130.211.0.0/22"` This causes health checks to api server fail when the source IPs is from `"209.85.152.0/22" or "209.85.204.0/22"`` Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. create cluster on GCP 2. Look at the firewall rule for the health checks Actual results: Health checks fail due to firewall rules. Expected results: Correct ranges are allowed Additional info: --- Additional comment from Scott Dodson on 2019-10-09 14:35:12 UTC --- Without this the load balancer will be denied access to the apiservers and will incorrectly remove members. We don't have a good method to measure how often we've been seeing this in CI, we may have just been getting lucky and only ending up with NLBs in the 1 of 3 ranges that are currently included which were correct. --- Additional comment from Johnny Liu on 2019-10-10 06:24:10 UTC --- 4.2 PR: https://github.com/openshift/installer/commit/f0e25273cf9512b4aa99c26acdd153007d046e2d Verified this bug with 4.2.0-0.nightly-2019-10-09-203306, and PASS. Installation is completed successfully. Check source IP range in jialiu-w65g6-master-in-from-health-checks: Source filters IP ranges 209.85.204.0/22 209.85.152.0/22 35.191.0.0/16
https://github.com/openshift/openshift-docs/pull/17043 is the docs PR. Update incoming.
Not only document, https://github.com/openshift/installer/blob/release-4.2/upi/gcp/03_security.py#L47 also should be fixed, right?
Correct, an installer PR is in flight too: https://github.com/openshift/installer/pull/2488/files. The docs are the most critical aspect for 4.2 GA though. The installer PR might have to merge in the first errata.
Version:4.2.0-0.nightly-2019-10-23-011659 Installation succeed. Checked jliu-b-8cbcl-health-checks's IP ranges 35.191.0.0/16 209.85.152.0/22 209.85.204.0/22 comply with https://github.com/openshift/installer/pull/2488/commits/0d47fdba63d79b65de34fee6d6c1af218ee3b641
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3151