Bug 1921274 - fix MCS blocking iptables rules
Summary: fix MCS blocking iptables rules
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: 4.6.z
Assignee: Dan Winship
QA Contact: Kedar Kulkarni
URL:
Whiteboard:
Depends On: 1915027
Blocks: 1921283
TreeView+ depends on / blocked
 
Reported: 2021-01-27 20:13 UTC by OpenShift BugZilla Robot
Modified: 2021-05-10 14:26 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: An incorrect ovn-kubernetes security rule that was supposed to only block outbound connections also blocked some inbound connections. Consequence: In the general case, around 1 in 10,000 attempts to connect to a pod would fail spuriously. However, if a client intentionally used a restricted range of source ports, it could hit the buggy rule more frequently. Fix: The iptables rule was fixed to only block the intended connections. Result: No spurious failures.
Clone Of:
: 1921283 (view as bug list)
Environment:
Last Closed: 2021-02-17 19:25:10 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 425 0 None closed [release-4.6] Bug 1921274: Fix MCS-blocking iptables rules 2021-02-08 12:09:52 UTC
Red Hat Product Errata RHBA-2021:0424 0 None None None 2021-02-17 19:25:32 UTC

Comment 2 Kedar Kulkarni 2021-02-04 20:57:39 UTC
Hi,
I was able to verify the BZ on OVN cluster using `curl` command to curl 172.30.0.1 as per the instructions. Here's the snippet of one of the curl calls:

===========================================================================================
for i in 22623 22624; do curl  --local-port $i https://172.30.0.1/ -k; done
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}
===========================================================================================



Nightly Build used:  4.6.0-0.nightly-2021-02-04-091446



For a cluster with SDN, I could not get the curl to work as it gave operation timed out. I also checked the iptable rules on the 4.6 SDN cluster vs 4.7 SDN cluster: 


4.6 Cluster: 
=============
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22623 -j REJECT --reject-with icmp-port-unreachable
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22624 -j REJECT --reject-with icmp-port-unreachable


4.7 Cluster:
=============
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22623 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22624 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable


Kindly let me know if the BZ is intended to fix the problem with SDN similar to 1915027(fixes both SDN/OVN). I am assuming the fix should have been on applied to both, hence moving it back to Assigned.

Thanks,
KK.

Comment 3 Dan Winship 2021-02-05 13:29:36 UTC
(In reply to Kedar Kulkarni from comment #2)
> I was able to verify the BZ on OVN cluster using `curl` command to curl
> 172.30.0.1 as per the instructions.

> Kindly let me know if the BZ is intended to fix the problem with SDN similar
> to 1915027(fixes both SDN/OVN). I am assuming the fix should have been on
> applied to both, hence moving it back to Assigned.

No, we only did the backport for ovn-kubernetes, so this was the expected behavior. Sorry for not clarifying that.

Comment 6 errata-xmlrpc 2021-02-17 19:25:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.17 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0424


Note You need to log in before you can comment on or make changes to this bug.