1921274 – fix MCS blocking iptables rules

Bug 1921274 - fix MCS blocking iptables rules

Summary: fix MCS blocking iptables rules

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	---
Target Release:	4.6.z
Assignee:	Dan Winship
QA Contact:	Ying Wang
Docs Contact:
URL:
Whiteboard:
Depends On:	1915027 1998453
Blocks:	1921283
TreeView+	depends on / blocked

Reported:	2021-01-27 20:13 UTC by OpenShift BugZilla Robot
Modified:	2021-09-23 18:58 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: An incorrect ovn-kubernetes security rule that was supposed to only block outbound connections also blocked some inbound connections. Consequence: In the general case, around 1 in 10,000 attempts to connect to a pod would fail spuriously. However, if a client intentionally used a restricted range of source ports, it could hit the buggy rule more frequently. Fix: The iptables rule was fixed to only block the intended connections. Result: No spurious failures.
Clone Of:
Clones:	1921283 (view as bug list)
Environment:
Last Closed:	2021-02-17 19:25:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift ovn-kubernetes pull 425	0	None	closed	[release-4.6] Bug 1921274: Fix MCS-blocking iptables rules	2021-02-08 12:09:52 UTC
Red Hat Product Errata	RHBA-2021:0424	0	None	None	None	2021-02-17 19:25:32 UTC

Comment 2 Kedar Kulkarni 2021-02-04 20:57:39 UTC

Hi,
I was able to verify the BZ on OVN cluster using `curl` command to curl 172.30.0.1 as per the instructions. Here's the snippet of one of the curl calls:

===========================================================================================
for i in 22623 22624; do curl  --local-port $i https://172.30.0.1/ -k; done
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {
    
  },
  "code": 403
}
===========================================================================================



Nightly Build used:  4.6.0-0.nightly-2021-02-04-091446



For a cluster with SDN, I could not get the curl to work as it gave operation timed out. I also checked the iptable rules on the 4.6 SDN cluster vs 4.7 SDN cluster: 


4.6 Cluster: 
=============
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22623 -j REJECT --reject-with icmp-port-unreachable
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22624 -j REJECT --reject-with icmp-port-unreachable


4.7 Cluster:
=============
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22623 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A OPENSHIFT-BLOCK-OUTPUT -p tcp -m tcp --dport 22624 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable


Kindly let me know if the BZ is intended to fix the problem with SDN similar to 1915027(fixes both SDN/OVN). I am assuming the fix should have been on applied to both, hence moving it back to Assigned.

Thanks,
KK.

Comment 3 Dan Winship 2021-02-05 13:29:36 UTC

(In reply to Kedar Kulkarni from comment #2)
> I was able to verify the BZ on OVN cluster using `curl` command to curl
> 172.30.0.1 as per the instructions.

> Kindly let me know if the BZ is intended to fix the problem with SDN similar
> to 1915027(fixes both SDN/OVN). I am assuming the fix should have been on
> applied to both, hence moving it back to Assigned.

No, we only did the backport for ovn-kubernetes, so this was the expected behavior. Sorry for not clarifying that.

Comment 6 errata-xmlrpc 2021-02-17 19:25:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.17 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0424

Comment 7 Mehul Modi 2021-09-23 18:58:19 UTC

Added QE testcase: https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-44939

Note You need to log in before you can comment on or make changes to this bug.