In https://github.com/openshift/origin/pull/26054 I'm disabling [sig-network] Firewall rule control plane should not expose well-known ports test, which is consistently failing. From looking at previous runs I can't find this tests being run before, so it might be that the e2eskipper is currently treating gcp where we run these tests as gce and includes this test. That's one of possible theories.
fwiw, the test is doing this: ginkgo.It("control plane should not expose well-known ports", func() { nodes, err := e2enode.GetReadySchedulableNodes(cs) framework.ExpectNoError(err) ginkgo.By("Checking well known ports on master and nodes are not exposed externally") nodeAddr := e2enode.FirstAddress(nodes, v1.NodeExternalIP) if nodeAddr == "" { framework.Failf("did not find any node addresses") } controlPlaneAddresses := framework.GetControlPlaneAddresses(cs) for _, instanceAddress := range controlPlaneAddresses { assertNotReachableHTTPTimeout(instanceAddress, "/healthz", ports.KubeControllerManagerPort, firewallTestTCPTimeout, true) assertNotReachableHTTPTimeout(instanceAddress, "/healthz", kubeschedulerconfig.DefaultKubeSchedulerPort, firewallTestTCPTimeout, true) } assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletPort, firewallTestTCPTimeout, false) assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletReadOnlyPort, firewallTestTCPTimeout, false) assertNotReachableHTTPTimeout(nodeAddr, "/", ports.ProxyStatusPort, firewallTestTCPTimeout, false) })
But the actual failure is: fail [github.com/onsi/ginkgo.0-origin.0+incompatible/internal/leafnodes/runner.go:113]: Apr 21 12:03:52.111: did not find any node addresses So... in GCP do our CI cluster nodes have external IPs? nodeAddr := e2enode.FirstAddress(nodes, v1.NodeExternalIP)
And the answer is that no! they don't... "addresses": [ { "address": "10.0.0.5", "type": "InternalIP" }, { "address": "ci-op-m9kcz5zp-2a78c-lnf69-master-2.c.openshift-gce-devel-ci.internal", "type": "InternalDNS" }, { "address": "ci-op-m9kcz5zp-2a78c-lnf69-master-2.c.openshift-gce-devel-ci.internal", "type": "Hostname" } ],
So that's why it fails. I'll leave it to somebody else on the team to figure out whether the upstream test is wrong or what.
Okay so the fix is already merged upstream. We need to backport it down to origin.
move to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438