Bug 1896704 - Machine API components should honour cluster wide proxy settings
Summary: Machine API components should honour cluster wide proxy settings
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.7.0
Assignee: Joel Speed
QA Contact: Milind Yadav
URL:
Whiteboard:
Depends On:
Blocks: 1896705 1930150
TreeView+ depends on / blocked
 
Reported: 2020-11-11 10:43 UTC by Joel Speed
Modified: 2021-02-24 15:33 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Machine API now honours cluster wide proxy settings. When a ClusterWideProxy is configured, all Machine API components will route traffic via the configured proxy.
Clone Of:
: 1896705 1930150 (view as bug list)
Environment:
Last Closed: 2021-02-24 15:32:36 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-api-operator pull 725 0 None closed Bug 1896704: Inject cluster-wide proxy configuration in to machine-api-controller deployment 2021-02-19 01:41:54 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:33:22 UTC

Description Joel Speed 2020-11-11 10:43:36 UTC
Description of problem:

In all environments that leverage the Machine API, components in the machine-api-controllers pod contact external cloud provider APIs.

When a customer has configured a cluster-wide-proxy, they expect all traffic leaving a cluster to route via the configured proxy.

Machine API components currently ignore this setting and route traffic directly to the cloud provider APIs regardless of any configured cluster-wide-proxy.

This means that customers have to make exceptions in their networking configuration and in their security practices to allow Machine API to work in a disconnected/restricted network environment.

Machine API should honour the cluster-wide-proxy settings as all other components within OCP 4 do.


Version-Release number of selected component (if applicable):

All (in particular we want this fixed in 4.6 and 4.7)


How reproducible:

100%

Steps to Reproduce:
1. Create an OCP cluster
2. Create a cluster-wide-proxy 
3. Restrict egress traffic so that only the proxy is allowed egress

Actual results:

Machine API will now be broken as it cannot reach the cloud provider API

Expected results:

Machine API should send traffic to the cloud provider via the proxy

Additional info:

Comment 1 Joel Speed 2020-11-12 12:26:41 UTC
We are making progress on this bug, but still need to work some concerns out with the oVirt provider maintainers. This should merge sometime during the next sprint

Comment 3 Milind Yadav 2020-11-23 04:17:21 UTC
Validating again to , as there is some more config changes needed to confirm this , moving back to ON_QA

Comment 4 Milind Yadav 2020-11-24 12:34:44 UTC
Validated again as earlier I validated on installers which were earlier designed to handle inability of mapi to run on proxy ..

Reran again , machinesets scaled up and down successfully without the earlier workarounds (which were necessary as per the product doc , since mapi didnt supported proxy)

moving to VERIFIED .

Additional info:
Installation team helped out on this config ..

Comment 7 errata-xmlrpc 2021-02-24 15:32:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.