1963079 – KCM/KS: ability to enforce localhost communication with the API server.

Bug 1963079 - KCM/KS: ability to enforce localhost communication with the API server.

Summary: KCM/KS: ability to enforce localhost communication with the API server.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	kube-controller-manager
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Lukasz Szaszkiewicz
QA Contact:	zhou ying
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-21 11:41 UTC by Lukasz Szaszkiewicz
Modified:	2021-07-27 23:09 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-27 23:09:41 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift cluster-kube-controller-manager-operator pull 510	None	open	Bug 1963079: a smoke test for preferred host for KCM	2021-05-21 11:42:43 UTC
Github	openshift cluster-kube-scheduler-operator pull 351	None	open	Bug 1963079: Add e2e test for preferred host	2021-05-24 15:16:49 UTC
Github	openshift kubernetes pull 759	None	open	Bug 1963079: KCM with preferred host support	2021-05-21 11:42:37 UTC
Red Hat Product Errata	RHSA-2021:2438	None	None	None	2021-07-27 23:09:56 UTC

Description Lukasz Szaszkiewicz 2021-05-21 11:41:43 UTC

For the past months, we have been involved in many escalations that showed a misconfigured load balancer can cause a significant outages. One quick way of ruling a malfunctioning LB is to switch affected components to use localhost to communicate with Kube API.

We are going to use this BZ to merge a few PRs for KCM and KC to allow that. Once they merge the support engineers will have an easy way of enforcing localhost communication.

Comment 2 zhou ying 2021-06-01 10:56:18 UTC

Check for the KCM，  :
[root@localhost ~]# oc get kubecontrollermanager cluster -o yaml 
apiVersion: operator.openshift.io/v1
kind: KubeControllerManager
...
spec:
  logLevel: TraceAll
...
  unsupportedConfigOverrides:
    extendedArguments:
      master:
      - https://api-int.yinzhou601.qe.devcluster.openshift.com:1234
      unsupported-kube-api-over-localhost:
      - "true"

when setting with invalid api, still works well. 

Check for the KS:
[root@localhost ~]# oc get kubescheduler cluster -o yaml 
apiVersion: operator.openshift.io/v1
kind: KubeScheduler
....
spec:
  logLevel: TraceAll
...
  unsupportedConfigOverrides:
    arguments:
      master:
      - https://api-int.yinzhou601.qe.devcluster.openshift.com:1234/
      unsupported-kube-api-over-localhost:
      - "true"

when setting with invalid api, ks still works well.

Comment 5 errata-xmlrpc 2021-07-27 23:09:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.