Bug 1963079 - KCM/KS: ability to enforce localhost communication with the API server.
Summary: KCM/KS: ability to enforce localhost communication with the API server.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-controller-manager
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.8.0
Assignee: Lukasz Szaszkiewicz
QA Contact: zhou ying
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-21 11:41 UTC by Lukasz Szaszkiewicz
Modified: 2021-07-27 23:09 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:09:41 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-controller-manager-operator pull 510 0 None open Bug 1963079: a smoke test for preferred host for KCM 2021-05-21 11:42:43 UTC
Github openshift cluster-kube-scheduler-operator pull 351 0 None open Bug 1963079: Add e2e test for preferred host 2021-05-24 15:16:49 UTC
Github openshift kubernetes pull 759 0 None open Bug 1963079: KCM with preferred host support 2021-05-21 11:42:37 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:09:56 UTC

Description Lukasz Szaszkiewicz 2021-05-21 11:41:43 UTC
For the past months, we have been involved in many escalations that showed a misconfigured load balancer can cause a significant outages. One quick way of ruling a malfunctioning LB is to switch affected components to use localhost to communicate with Kube API.

We are going to use this BZ to merge a few PRs for KCM and KC to allow that. Once they merge the support engineers will have an easy way of enforcing localhost communication.

Comment 2 zhou ying 2021-06-01 10:56:18 UTC
Check for the KCM,  :
[root@localhost ~]# oc get kubecontrollermanager cluster -o yaml 
apiVersion: operator.openshift.io/v1
kind: KubeControllerManager
...
spec:
  logLevel: TraceAll
...
  unsupportedConfigOverrides:
    extendedArguments:
      master:
      - https://api-int.yinzhou601.qe.devcluster.openshift.com:1234
      unsupported-kube-api-over-localhost:
      - "true"

when setting with invalid api, still works well. 

Check for the KS:
[root@localhost ~]# oc get kubescheduler cluster -o yaml 
apiVersion: operator.openshift.io/v1
kind: KubeScheduler
....
spec:
  logLevel: TraceAll
...
  unsupportedConfigOverrides:
    arguments:
      master:
      - https://api-int.yinzhou601.qe.devcluster.openshift.com:1234/
      unsupported-kube-api-over-localhost:
      - "true"

when setting with invalid api, ks still works well.

Comment 5 errata-xmlrpc 2021-07-27 23:09:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.