The ovn-kubernetes and openshift-sdn rules to block access to the MCS were accidentally interfering with (replies to) connections that happened to randomly pick 22623 or 22624 as the source port.
To verify: try a command such as
curl --local-port 22624 http://google.com/
from inside a pod. It should succeed (in this case, returning an HTTP 301 response) rather than hanging and eventually timing out.
(This bug is being used for both the ovn-kubernetes fix and the openshift-sdn fix and it should be tested on both.)
(In reply to Dan Winship from comment #0)
> To verify: try a command such as
> curl --local-port 22624 http://google.com/
> from inside a pod. It should succeed (in this case, returning an HTTP 301
> response) rather than hanging and eventually timing out.
curl --local-port 22624 https://172.30.0.1/
too. The "google.com" version apparently works with or without the fix, at least on openshift-sdn.
(Note that "curl --local-port 22624 https://172.30.0.1/" will return an error about the certificate being untrusted, which is fine; as long as it doesn't just hang and time out, it passes.)
I was able to verify the BZ on OVN and SDN cluster using `curl` command to curl 172.30.0.1 as per the instructions. Here's the snippet of one of the curl calls:
oc run -it --rm curlpod --image=curlimages/curl -- /bin/sh
If you don't see a command prompt, try pressing enter.
/ $ curl --local-port 22624 https://172.30.0.1/
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Nightly Build used: 4.7.0-0.nightly-2021-01-26-133503
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
Added QE test coverage: https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-44939