1909791 – Update standalone kube-proxy config for EndpointSlice

Bug 1909791 - Update standalone kube-proxy config for EndpointSlice

Summary: Update standalone kube-proxy config for EndpointSlice

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Dan Winship
QA Contact:	zhaozhanqi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-12-21 16:20 UTC by Dan Winship
Modified:	2021-02-24 15:47 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-24 15:47:19 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift cluster-network-operator pull 926	None	closed	Bug 1909791: Standlone kube-proxy needs to list EndpointSlices now	2021-02-04 17:14:17 UTC
Github	openshift cluster-network-operator pull 931	None	closed	Bug 1909791: Fix EndpointSlice addition to standalone kube-proxy RBAC role	2021-02-04 17:14:16 UTC
Red Hat Product Errata	RHSA-2020:5633	None	None	None	2021-02-24 15:47:42 UTC

Description Dan Winship 2020-12-21 16:20:11 UTC

In 1.20 kube-proxy now expects to use EndpointSlice rather than Endpoints by default, so we need to update the RBAC config for standalone kube-proxy to have permission to read that.

(Or alternatively we could update the config to force it to not use EndpointSlice, but we don't want to do that.)

Comment 3 zhaozhanqi 2021-01-05 04:09:43 UTC

Verified this bug on 4.7.0-0.nightly-2021-01-04-215816

Comment 4 Dan Winship 2021-01-05 12:13:35 UTC

doh, this was implemented wrong

Comment 5 Dan Winship 2021-01-05 12:19:57 UTC

@zhaoazhanqi does QE test Calico or any other other third-party network plugins at all? For the moment, that's the only reliable way of testing that this fix really works. (It has no effect when using openshift-sdn, ovn-kubernetes, or kuryr.)

(I'll test it better myself this time before it merges though...)

Making this blocker+ since it completely breaks most third-party network plugins.

Comment 6 Dan Winship 2021-01-05 13:21:30 UTC

OK, so actually it looks like this was the last piece needed to get hacked-openshift-sdn-with-standalone-kube-proxy to work. So, you could test by doing "openshift-install create manifests", and then adding this to the manifests/ dir before doing "create cluster":

---

apiVersion: operator.openshift.io/v1
kind: Network
metadata:
  name: cluster
spec:
  defaultNetwork:
    type: OpenShiftSDN
    openshiftSDNConfig:
      mode: NetworkPolicy
      enableUnidling: false
  deployKubeProxy: true

---

Then you can confirm that the cluster comes up with a standalone kube-proxy (pods in -n openshift-kube-proxy), and everything still works.

Comment 8 zhaozhanqi 2021-01-06 08:31:46 UTC

Thanks Dan. I should misunderstanding this bug.  

I try to setup the Calico cluster this time with 4.7.0-0.nightly-2021-01-06-012750, it works well

[root@preserve-zzhao calico]# oc get network -o yaml | grep -i networktype:
          f:networkType: {}
          f:networkType: {}
          f:networkType: {}
    networkType: Calico
    networkType: Calico

[root@preserve-zzhao calico]# oc get pod -n openshift-kube-proxy
NAME                         READY   STATUS    RESTARTS   AGE
openshift-kube-proxy-4dhvp   2/2     Running   0          76m
openshift-kube-proxy-f8v7m   2/2     Running   0          64m
openshift-kube-proxy-h7bvm   2/2     Running   0          65m
openshift-kube-proxy-jz7cz   2/2     Running   0          76m
openshift-kube-proxy-pczgz   2/2     Running   0          76m
openshift-kube-proxy-tl6wf   2/2     Running   0          65m

Move this bug to Verified.

Comment 10 errata-xmlrpc 2021-02-24 15:47:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633

Note You need to log in before you can comment on or make changes to this bug.