Bug 1909791 - Update standalone kube-proxy config for EndpointSlice
Summary: Update standalone kube-proxy config for EndpointSlice
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Dan Winship
QA Contact: zhaozhanqi
Depends On:
TreeView+ depends on / blocked
Reported: 2020-12-21 16:20 UTC by Dan Winship
Modified: 2021-02-24 15:47 UTC (History)
0 users

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2021-02-24 15:47:19 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 926 0 None closed Bug 1909791: Standlone kube-proxy needs to list EndpointSlices now 2021-02-04 17:14:17 UTC
Github openshift cluster-network-operator pull 931 0 None closed Bug 1909791: Fix EndpointSlice addition to standalone kube-proxy RBAC role 2021-02-04 17:14:16 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:47:42 UTC

Description Dan Winship 2020-12-21 16:20:11 UTC
In 1.20 kube-proxy now expects to use EndpointSlice rather than Endpoints by default, so we need to update the RBAC config for standalone kube-proxy to have permission to read that.

(Or alternatively we could update the config to force it to not use EndpointSlice, but we don't want to do that.)

Comment 3 zhaozhanqi 2021-01-05 04:09:43 UTC
Verified this bug on 4.7.0-0.nightly-2021-01-04-215816

Comment 4 Dan Winship 2021-01-05 12:13:35 UTC
doh, this was implemented wrong

Comment 5 Dan Winship 2021-01-05 12:19:57 UTC
@zhaoazhanqi does QE test Calico or any other other third-party network plugins at all? For the moment, that's the only reliable way of testing that this fix really works. (It has no effect when using openshift-sdn, ovn-kubernetes, or kuryr.)

(I'll test it better myself this time before it merges though...)

Making this blocker+ since it completely breaks most third-party network plugins.

Comment 6 Dan Winship 2021-01-05 13:21:30 UTC
OK, so actually it looks like this was the last piece needed to get hacked-openshift-sdn-with-standalone-kube-proxy to work. So, you could test by doing "openshift-install create manifests", and then adding this to the manifests/ dir before doing "create cluster":


apiVersion: operator.openshift.io/v1
kind: Network
  name: cluster
    type: OpenShiftSDN
      mode: NetworkPolicy
      enableUnidling: false
  deployKubeProxy: true


Then you can confirm that the cluster comes up with a standalone kube-proxy (pods in -n openshift-kube-proxy), and everything still works.

Comment 8 zhaozhanqi 2021-01-06 08:31:46 UTC
Thanks Dan. I should misunderstanding this bug.  

I try to setup the Calico cluster this time with 4.7.0-0.nightly-2021-01-06-012750, it works well

[root@preserve-zzhao calico]# oc get network -o yaml | grep -i networktype:
          f:networkType: {}
          f:networkType: {}
          f:networkType: {}
    networkType: Calico
    networkType: Calico

[root@preserve-zzhao calico]# oc get pod -n openshift-kube-proxy
NAME                         READY   STATUS    RESTARTS   AGE
openshift-kube-proxy-4dhvp   2/2     Running   0          76m
openshift-kube-proxy-f8v7m   2/2     Running   0          64m
openshift-kube-proxy-h7bvm   2/2     Running   0          65m
openshift-kube-proxy-jz7cz   2/2     Running   0          76m
openshift-kube-proxy-pczgz   2/2     Running   0          76m
openshift-kube-proxy-tl6wf   2/2     Running   0          65m

Move this bug to Verified.

Comment 10 errata-xmlrpc 2021-02-24 15:47:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.