1952460 – In k8s 1.21 bump '[sig-network] Firewall rule control plane should not expose well-known ports' test is disabled

Bug 1952460 - In k8s 1.21 bump '[sig-network] Firewall rule control plane should not expose well-known ports' test is disabled

Summary: In k8s 1.21 bump '[sig-network] Firewall rule control plane should not expose...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Ben Pickard
QA Contact:	zhaozhanqi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-22 10:19 UTC by Maciej Szulik
Modified:	2021-07-27 23:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-27 23:02:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	kubernetes kubernetes pull 101488	None	closed	e2e/network/firewall: don't assume nodes are exposed externally	2021-06-07 15:24:40 UTC
Github	openshift kubernetes pull 738	None	closed	Bug 1952460: UPSTREAM: 101488: e2e/network/firewall: don't assume nodes are exposed externally	2021-06-07 15:24:39 UTC
Red Hat Product Errata	RHSA-2021:2438	None	None	None	2021-07-27 23:03:13 UTC

Description Maciej Szulik 2021-04-22 10:19:15 UTC

In https://github.com/openshift/origin/pull/26054 I'm disabling

 [sig-network] Firewall rule control plane should not expose well-known ports

test, which is consistently failing.

From looking at previous runs I can't find this tests being run before, so it might be that the e2eskipper is currently 
treating gcp where we run these tests as gce and includes this test. That's one of possible theories.

Comment 1 Dan Williams 2021-04-26 15:12:35 UTC

fwiw, the test is doing this:

	ginkgo.It("control plane should not expose well-known ports", func() {
		nodes, err := e2enode.GetReadySchedulableNodes(cs)
		framework.ExpectNoError(err)

		ginkgo.By("Checking well known ports on master and nodes are not exposed externally")
		nodeAddr := e2enode.FirstAddress(nodes, v1.NodeExternalIP)
		if nodeAddr == "" {
			framework.Failf("did not find any node addresses")
		}

		controlPlaneAddresses := framework.GetControlPlaneAddresses(cs)
		for _, instanceAddress := range controlPlaneAddresses {
			assertNotReachableHTTPTimeout(instanceAddress, "/healthz", ports.KubeControllerManagerPort, firewallTestTCPTimeout, true)
			assertNotReachableHTTPTimeout(instanceAddress, "/healthz", kubeschedulerconfig.DefaultKubeSchedulerPort, firewallTestTCPTimeout, true)
		}
		assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletPort, firewallTestTCPTimeout, false)
		assertNotReachableHTTPTimeout(nodeAddr, "/", ports.KubeletReadOnlyPort, firewallTestTCPTimeout, false)
		assertNotReachableHTTPTimeout(nodeAddr, "/", ports.ProxyStatusPort, firewallTestTCPTimeout, false)
	})

Comment 2 Dan Williams 2021-04-26 15:18:39 UTC

But the actual failure is:

fail [github.com/onsi/ginkgo.0-origin.0+incompatible/internal/leafnodes/runner.go:113]: Apr 21 12:03:52.111: did not find any node addresses

So... in GCP do our CI cluster nodes have external IPs?

nodeAddr := e2enode.FirstAddress(nodes, v1.NodeExternalIP)

Comment 3 Dan Williams 2021-04-26 15:21:25 UTC

And the answer is that no! they don't...

                "addresses": [
                    {
                        "address": "10.0.0.5",
                        "type": "InternalIP"
                    },
                    {
                        "address": "ci-op-m9kcz5zp-2a78c-lnf69-master-2.c.openshift-gce-devel-ci.internal",
                        "type": "InternalDNS"
                    },
                    {
                        "address": "ci-op-m9kcz5zp-2a78c-lnf69-master-2.c.openshift-gce-devel-ci.internal",
                        "type": "Hostname"
                    }
                ],

Comment 4 Dan Williams 2021-04-26 15:22:02 UTC

So that's why it fails. I'll leave it to somebody else on the team to figure out whether the upstream test is wrong or what.

Comment 5 Surya Seetharaman 2021-05-04 06:28:10 UTC

Okay so the fix is already merged upstream. We need to backport it down to origin.

Comment 7 zhaozhanqi 2021-06-08 07:30:26 UTC

move to verified.

Comment 10 errata-xmlrpc 2021-07-27 23:02:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.