Bug 1879445 - SameSite hardening breaks sticky load balancing
Summary: SameSite hardening breaks sticky load balancing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 3.11.z
Assignee: Miheer Salunke
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On: 1889868 1892775 1893657
Blocks: 1881997
TreeView+ depends on / blocked
 
Reported: 2020-09-16 10:16 UTC by Robert Heinzmann
Modified: 2024-03-25 16:30 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1881997 (view as bug list)
Environment:
Last Closed: 2020-11-18 14:09:55 UTC
Target Upstream Version:
Embargoed:
misalunk: needinfo-
hongli: needinfo-
misalunk: needinfo-
misalunk: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 25542 0 None closed Bug 1879445: Add a route annotation for Samesite 2020-12-29 14:51:23 UTC
Red Hat Bugzilla 1891026 0 urgent CLOSED The CI build not downloading updated version of haproxy rpm 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1891777 0 urgent CLOSED Update to haproxy version 1.8.26 for adding the samesite feature using the attr attribue in haproxy 1.8.26 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2020:5107 0 None None None 2020-11-18 14:10:44 UTC


Comment 7 Roland Lichti 2020-09-21 09:30:29 UTC 
Merging the new haproxy won't solve the whole problem. There is a configuration per route (like an annotation) needed to configure the value None, Strict, or Lax (but Lax is the automatical default now, so that may be omitted). Otherwise the people would have to setup at least two haproxy routers for the different settings.
Comment 16 Andrew McDermott 2020-10-02 15:20:46 UTC 
Target set to next release version while investigation is either
ongoing or pending. Will be considered for earlier release versions
when diagnosed and resolved.
Comment 26 Andrew McDermott 2020-10-20 10:03:35 UTC 
A new openshift release is currently in progress and once that completes we can then push the changes for the newer haproxy-1.8.26 so that the RPM can be built and tagged. I expect that to occur today/tomorrow. 

Once that's in place we will resolve any CI issues in the associated change https://github.com/openshift/origin/pull/25542.
Comment 47 Hongan Li 2020-11-13 06:32:18 UTC 
Verified with v3.11.318 and passed

# oc version
oc v3.11.318
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://hongli-311master-etcd-1:8443
openshift v3.11.318
kubernetes v1.11.0+d4cacc0

sh-4.2$ haproxy -v
HA-Proxy version 1.8.26 2020/08/03
Copyright 2000-2020 Willy Tarreau <willy>

sh-4.2$ rpm -qa | grep haproxy
haproxy18-1.8.26-1.el7.x86_64

# default SameSite=None
# curl https://edgeroute-hongli1.apps.1113-9m7.qe.rhcloud.com -v
<---snip--->
< Set-Cookie: a54306d9cf69be3311d72fb44eda92c6=0498e21abad7529161431eec7d46b162; path=/; HttpOnly; Secure; SameSite=None

# oc annotate route edgeroute router.openshift.io/cookie-same-site=Lax
# curl https://edgeroute-hongli1.apps.1113-9m7.qe.rhcloud.com -v
<---snip--->
< Set-Cookie: a54306d9cf69be3311d72fb44eda92c6=0498e21abad7529161431eec7d46b162; path=/; HttpOnly; Secure; SameSite=Lax

# oc annotate route edgeroute router.openshift.io/cookie-same-site=Strict --overwrite
# curl https://edgeroute-hongli1.apps.1113-9m7.qe.rhcloud.com -v
<---snip--->
< Set-Cookie: a54306d9cf69be3311d72fb44eda92c6=0498e21abad7529161431eec7d46b162; path=/; HttpOnly; Secure; SameSite=Strict

And a regression test is running now, will move this to Verified if no issue found during regression.
Comment 48 Hongan Li 2020-11-13 12:49:34 UTC 
no issue found during the regression test, moving to VERIFIED.
Comment 49 Miheer Salunke 2020-11-16 09:44:32 UTC 
Thanks @hongli !
Comment 51 errata-xmlrpc 2020-11-18 14:09:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 3.11.318 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5107
Note You need to log in before you can comment on or make changes to this bug.