Bug 1953169 - endpoint slice controller doesn't handle services target port correctly
Summary: endpoint slice controller doesn't handle services target port correctly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.8.0
Assignee: Antonio Ojea
QA Contact: Ross Brattain
URL:
Whiteboard:
Depends On:
Blocks: 1956270
TreeView+ depends on / blocked
 
Reported: 2021-04-24 10:29 UTC by Antonio Ojea
Modified: 2021-07-27 23:03 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Multiport Services with named TargetPorts fail to work because OVN tried to match the corresponding Endpoint based on the Service.TargetPort.Name instead of the ServicePort.Name OVN should match the Endpoints based on the ServicePort.Name and EndpointPort.Name
Clone Of:
: 1956270 (view as bug list)
Environment:
Last Closed: 2021-07-27 23:03:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 515 0 None open Bug 1953169: endpoint slice controller doesn't handle services target port correctly 2021-04-24 22:35:34 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:03:47 UTC

Description Antonio Ojea 2021-04-24 10:29:32 UTC
Service targetPort is a selector for the endpoints/endpointslices
controller to create the endpoints based on that container port name.
It is not meant to be used in the Service implementation.
The relation is ServicePort.Name - EndpointPort.Name, however,
ServicePort.Name is only required for multiple ports and it may be empty.
If the endpoint matches the service and there is no name,
that means that is a single port service and there is only one endpoint.

Comment 1 Antonio Ojea 2021-04-24 10:29:58 UTC
Fixed upstream by

https://github.com/ovn-org/ovn-kubernetes/pull/2187

Comment 5 Ross Brattain 2021-05-13 00:24:19 UTC
Verified on 4.8.0-0.nightly-2021-05-12-072240

Tested various combinations of Multiport svc with named targetPorts and unnamed ports.

Tested with targetPort.name != endpoint.Port.name

apiVersion: v1
kind: List
items:
  - apiVersion: v1
    kind: ReplicationController
    metadata:
      labels:
        name: test-rc
      name: test-rc
    spec:
      replicas: 10
      template:
        metadata:
          labels:
            name: test-pods
        spec:
          containers:
            - image: quay.io/openshifttest/nginx-alpine@sha256:5d3f3372288b8a93fc9fc7747925df2328c24db41e4b4226126c3af293c5ad88
              name: test-pod
              imagePullPolicy: IfNotPresent
              resources:
                limits:
                  memory: 340Mi
              ports:
              - containerPort: 8080
                name: webcache
              - containerPort: 8443
                name: pcsync-https
  - apiVersion: v1
    kind: Service
    metadata:
      labels:
        name: test-service
      name: test-service
    spec:
      ports:
        - name: http
          port: 27017
          protocol: TCP
          targetPort: webcache
        - name: https
          port: 27018
          protocol: TCP
          targetPort: pcsync-https
      selector:
        name: test-pods


emtpy svc.Port.name with targetPort.name.

apiVersion: v1
kind: List
items:
  - apiVersion: v1
    kind: ReplicationController
    metadata:
      labels:
        name: test-rc
      name: test-rc
    spec:
      replicas: 10
      template:
        metadata:
          labels:
            name: test-pods
        spec:
          containers:
            - image: quay.io/openshifttest/nginx-alpine@sha256:5d3f3372288b8a93fc9fc7747925df2328c24db41e4b4226126c3af293c5ad88
              name: test-pod
              imagePullPolicy: IfNotPresent
              resources:
                limits:
                  memory: 340Mi
              ports:
              - containerPort: 8080
                name: webcache
              - containerPort: 8443
                name: pcsync-https
  - apiVersion: v1
    kind: Service
    metadata:
      labels:
        name: test-service
      name: test-service
    spec:
      ports:
        - port: 27017
          protocol: TCP
          targetPort: webcache
      selector:
        name: test-pods

Comment 8 errata-xmlrpc 2021-07-27 23:03:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.