Bug 1898178 - [OVN] EgressIP does not guard against node IP assignment
Summary: [OVN] EgressIP does not guard against node IP assignment
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.6.z
Assignee: Alexander Constantinescu
QA Contact: huirwang
URL:
Whiteboard:
Depends On: 1898174
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-16 15:24 UTC by Alexander Constantinescu
Modified: 2021-01-18 17:59 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1898174
Environment:
Last Closed: 2021-01-18 17:59:29 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 349 0 None closed Bug 1898178: [release-4.6] Handle egress IP assignment for node IPs 2021-01-27 17:09:40 UTC
Red Hat Product Errata RHSA-2021:0037 0 None None None 2021-01-18 17:59:58 UTC

Description Alexander Constantinescu 2020-11-16 15:24:46 UTC
+++ This bug was initially created as a clone of Bug #1898174 +++

Description of problem:

The egress IP functionality of OpenShift with OVN-kubernetes does not guard against an egress IP which references a cluster node's IP address. This is bad because if such a mistake is made it risks destroying that node's networking since the egress setup made will be done on the egress node, which risks not being the same as the node referenced. 


Version-Release number of selected component (if applicable):

4.6 latest

How reproducible:


Steps to Reproduce:
1. Create an Openshift cluster 
2. Label node 1 (node 1 is a node whose IP is on the same subnet as node 2) with k8s.ovn.org/egress-assignable=""
3. Create an EgressIP object specifying an egress IP which is node 2's IP address

Actual results:
 
The egress IP is assigned to node 1  

Expected results:

Should not be assigned and should trigger an event alerting the user that an invalid egress IP assignment has been requested, specifically: "Egress IP: %v for object EgressIP: %s is the IP address of node: %s, this is unsupported"

Additional info:

--- Additional comment from Alexander Constantinescu on 2020-11-16 15:24:02 UTC ---

This has been fixed on master (i.e 4.7) with the following PR: https://github.com/openshift/ovn-kubernetes/pull/317. I am thus setting the status to MODIFIED. I will start working on the back-port.

Comment 5 errata-xmlrpc 2021-01-18 17:59:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.6.12 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0037


Note You need to log in before you can comment on or make changes to this bug.