The ovn-kubernetes and openshift-sdn rules to block access to the MCS were accidentally interfering with (replies to) connections that happened to randomly pick 22623 or 22624 as the source port. To verify: try a command such as curl --local-port 22624 http://google.com/ from inside a pod. It should succeed (in this case, returning an HTTP 301 response) rather than hanging and eventually timing out. (This bug is being used for both the ovn-kubernetes fix and the openshift-sdn fix and it should be tested on both.)
(In reply to Dan Winship from comment #0) > To verify: try a command such as > > curl --local-port 22624 http://google.com/ > > from inside a pod. It should succeed (in this case, returning an HTTP 301 > response) rather than hanging and eventually timing out. Hm... try curl --local-port 22624 https://172.30.0.1/ too. The "google.com" version apparently works with or without the fix, at least on openshift-sdn. (Note that "curl --local-port 22624 https://172.30.0.1/" will return an error about the certificate being untrusted, which is fine; as long as it doesn't just hang and time out, it passes.)
Hi, I was able to verify the BZ on OVN and SDN cluster using `curl` command to curl 172.30.0.1 as per the instructions. Here's the snippet of one of the curl calls: =========================================================================================== oc run -it --rm curlpod --image=curlimages/curl -- /bin/sh If you don't see a command prompt, try pressing enter. / $ curl --local-port 22624 https://172.30.0.1/ curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. =========================================================================================== Nightly Build used: 4.7.0-0.nightly-2021-01-26-133503 Thanks, KK.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633
Added QE test coverage: https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-44939