Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1898174

Summary: [OVN] EgressIP does not guard against node IP assignment
Product: OpenShift Container Platform Reporter: Alexander Constantinescu <aconstan>
Component: NetworkingAssignee: Alexander Constantinescu <aconstan>
Networking sub component: ovn-kubernetes QA Contact: huirwang
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high    
Version: 4.6   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1898178 (view as bug list) Environment:
Last Closed: 2021-02-24 15:33:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1898178    

Description Alexander Constantinescu 2020-11-16 15:22:47 UTC 
Description of problem:

The egress IP functionality of OpenShift with OVN-kubernetes does not guard against an egress IP which references a cluster node's IP address. This is bad because if such a mistake is made it risks destroying that node's networking since the egress setup made will be done on the egress node, which risks not being the same as the node referenced. 


Version-Release number of selected component (if applicable):

4.6 latest

How reproducible:


Steps to Reproduce:
1. Create an Openshift cluster 
2. Label node 1 (node 1 is a node whose IP is on the same subnet as node 2) with k8s.ovn.org/egress-assignable=""
3. Create an EgressIP object specifying an egress IP which is node 2's IP address

Actual results:
 
The egress IP is assigned to node 1  

Expected results:

Should not be assigned and should trigger an event alerting the user that an invalid egress IP assignment has been requested, specifically: "Egress IP: %v for object EgressIP: %s is the IP address of node: %s, this is unsupported"

Additional info:
Comment 1 Alexander Constantinescu 2020-11-16 15:24:02 UTC 
This has been fixed on master (i.e 4.7) with the following PR: https://github.com/openshift/ovn-kubernetes/pull/317. I am thus setting the status to MODIFIED. I will start working on the back-port.
Comment 3 Anurag saxena 2020-11-17 15:08:49 UTC 
@Huiran Could you help verifying it?
Comment 7 errata-xmlrpc 2021-02-24 15:33:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633