Bug 1803193 - SG rules allow more traffic to master and worker nodes than should
Summary: SG rules allow more traffic to master and worker nodes than should
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.4.0
Assignee: Maysa Macedo
QA Contact: GenadiC
Depends On:
Blocks: 1832311
TreeView+ depends on / blocked
Reported: 2020-02-14 16:14 UTC by Maysa Macedo
Modified: 2020-05-06 14:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1832311 (view as bug list)
Last Closed: 2020-05-04 11:36:59 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 465 0 None closed bug 1803193: Tighten security groups 2020-05-28 11:07:24 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:37:27 UTC

Description Maysa Macedo 2020-02-14 16:14:30 UTC
Description of problem:

The security group rules created on the Cluster Network Operator needs to be
revisited to ensure only the minimum required of ports is allowed whenever OSP13
or OSP16 is used with amphora or ovn-octavia providers.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 3 Jon Uriarte 2020-04-02 14:41:07 UTC
Verified on 4.4.0-0.nightly-2020-03-31-053841 on OSP 13 (2020-03-25.1) and OSP 16 (RHOS_TRUNK-16.0-RHEL-8-20200324.n.0).

The K8s NP tests results and conformance tests results are the expected ones.
We filed 2 BZs [*] during this verification as there were some issues but not related to this BZ.


Comment 5 errata-xmlrpc 2020-05-04 11:36:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.