Bug 1918442 - Service Reject ACL does not work on dualstack
Summary: Service Reject ACL does not work on dualstack
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.8.0
Assignee: Antonio Ojea
QA Contact: Anurag saxena
URL:
Whiteboard:
: 1922159 (view as bug list)
Depends On: 1883957 1918422
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-20 17:58 UTC by Antonio Ojea
Modified: 2021-07-27 22:36 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: OVN Idling feature take precedence over reject ACLs. Consequence: Kubernetes Services without endpoints didn't reject connections. Fix: Don't create OVN loadbalancers for newly created Services without endpoints. Result: A service without endpoint rejects packets.
Clone Of:
: 1929225 (view as bug list)
Environment:
Last Closed: 2021-07-27 22:36:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 433 0 None closed Bug 1918442: Fix idling and rejects for 4.7 2021-02-18 19:01:23 UTC
Github ovn-org ovn-kubernetes pull 2047 0 None closed Fix reject acl for dualstack 2021-02-16 14:05:42 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:36:33 UTC

Description Antonio Ojea 2021-01-20 17:58:05 UTC 
Description of problem:

Kubernetes defines that Services without endpoints should be rejected, in order to implement that, OVN-Kubernetes create ACLs for those services to reject the traffic.

Openshift has a feature for applications, that allows idling the applications, it basically find the scalable resources (deployments, ...) and scales them down to 0. However, once traffic target the service is received, OVN-Kubernetes throws an event to notify the corresponding controller and unidle the application-

As a consequence of Bug 1918422, "empty-lb-events does not take effect for existing load-balancers", both options are mutually exclusive, so services in a cluster without endpoints only will be able to reject or to be idled, but not both.



Steps to Reproduce:
1. Create a Kubernetes cluster with and without the option
  --ovn-empty-lb-events
2. Create a service without endpoints
  kubectl create service clusterip noendpoints --tcp 80
3. Try to connect to the service
  curl noendpoints:80

The cluster with ovn-empty-lb-events set will create an event but never will reject services without endpoints

The cluster without the ovn-empty-lb-events set will reject the services without endpoints but will never create the unidling event
Comment 2 Tim Rozet 2021-01-20 20:45:55 UTC 
Basically the impact of this bug is that oc idle will not work with ovn-kubernetes on single stack clusters.
Comment 8 Antonio Ojea 2021-04-21 15:09:24 UTC 
*** Bug 1922159 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2021-07-27 22:36:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Note You need to log in before you can comment on or make changes to this bug.