Bug 1952460 - In k8s 1.21 bump '[sig-network] Firewall rule control plane should not expose well-known ports' test is disabled
Summary: In k8s 1.21 bump '[sig-network] Firewall rule control plane should not expose...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.8.0
Assignee: Ben Pickard
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-22 10:19 UTC by Maciej Szulik
Modified: 2021-07-27 23:03 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:02:52 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubernetes kubernetes pull 101488 0 None closed e2e/network/firewall: don't assume nodes are exposed externally 2021-06-07 15:24:40 UTC
Github openshift kubernetes pull 738 0 None closed Bug 1952460: UPSTREAM: 101488: e2e/network/firewall: don't assume nodes are exposed externally 2021-06-07 15:24:39 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:03:13 UTC

Description Maciej Szulik 2021-04-22 10:19:15 UTC
In https://github.com/openshift/origin/pull/26054 I'm disabling

 [sig-network] Firewall rule control plane should not expose well-known ports

test, which is consistently failing.

From looking at previous runs I can't find this tests being run before, so it might be that the e2eskipper is currently 
treating gcp where we run these tests as gce and includes this test. That's one of possible theories.

Comment 1 Dan Williams 2021-04-26 15:12:35 UTC
fwiw, the test is doing this:

	ginkgo.It("control plane should not expose well-known ports", func() {
		nodes, err := e2enode.GetReadySchedulableNodes(cs)
		framework.ExpectNoError(err)

		ginkgo.By("Checking well known ports on master and nodes are not exposed externally")
		nodeAddr := e2enode.FirstAddress(nodes, v1.NodeExternalIP)
		if nodeAddr == "" {
			framework.Failf("did not find any node addresses")
		}

		controlPlaneAddresses := framework.GetControlPlaneAddresses(cs)
		for _, instanceAddress := range controlPlaneAddresses {
			assertNotReachableHTTPTimeout(instanceAddress, "/healthz", ports.KubeControllerManagerPort, firewallTestTCPTimeout, true)
			assertNotReachableHTTPTimeout(instanceAddress, "/healthz", kubeschedulerconfig.DefaultKubeSchedulerPort, firewallTestTCPTimeout, true)
		}
		assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletPort, firewallTestTCPTimeout, false)
		assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletReadOnlyPort, firewallTestTCPTimeout, false)
		assertNotReachableHTTPTimeout(nodeAddr, "/", ports.ProxyStatusPort, firewallTestTCPTimeout, false)
	})

Comment 2 Dan Williams 2021-04-26 15:18:39 UTC
But the actual failure is:

fail [github.com/onsi/ginkgo@v4.7.0-origin.0+incompatible/internal/leafnodes/runner.go:113]: Apr 21 12:03:52.111: did not find any node addresses

So... in GCP do our CI cluster nodes have external IPs?

nodeAddr := e2enode.FirstAddress(nodes, v1.NodeExternalIP)

Comment 3 Dan Williams 2021-04-26 15:21:25 UTC
And the answer is that no! they don't...

                "addresses": [
                    {
                        "address": "10.0.0.5",
                        "type": "InternalIP"
                    },
                    {
                        "address": "ci-op-m9kcz5zp-2a78c-lnf69-master-2.c.openshift-gce-devel-ci.internal",
                        "type": "InternalDNS"
                    },
                    {
                        "address": "ci-op-m9kcz5zp-2a78c-lnf69-master-2.c.openshift-gce-devel-ci.internal",
                        "type": "Hostname"
                    }
                ],

Comment 4 Dan Williams 2021-04-26 15:22:02 UTC
So that's why it fails. I'll leave it to somebody else on the team to figure out whether the upstream test is wrong or what.

Comment 5 Surya Seetharaman 2021-05-04 06:28:10 UTC
Okay so the fix is already merged upstream. We need to backport it down to origin.

Comment 7 zhaozhanqi 2021-06-08 07:30:26 UTC
move to verified.

Comment 10 errata-xmlrpc 2021-07-27 23:02:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.