verified in "4.8.0-0.nightly-2021-06-03-221810" version. With this payload, it is observed that the router not fails when processing single routes with more than 64 whitelisted IPs: ------- oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-06-03-221810 True False 3m2s Cluster version is 4.8.0-0.nightly-2021-06-03-221810 oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD service-unsecure-2 service-unsecure-2-test1a.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com ... 1 more service-unsecure http None oc get route service-unsecure-2 -o yaml apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: haproxy.router.openshift.io/ip_whitelist: 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 192.168.5.0/24 192.168.6.0/24 192.168.7.0/24 192.168.8.0/24 192.168.9.0/24 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 192.168.15.0/24 192.168.16.0/24 192.168.17.0/24 192.168.18.0/24 192.168.19.0/24 192.168.20.0/24 192.168.21.0/24 192.168.22.0/24 192.168.23.0/24 192.168.24.0/24 192.168.25.0/24 192.168.26.0/24 192.168.27.0/24 192.168.28.0/24 192.168.29.0/24 192.168.30.0/24 192.168.31.0/24 192.168.32.0/24 192.168.33.0/24 192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24 192.168.39.0/24 192.168.40.0/24 192.168.41.0/24 192.168.42.0/24 192.168.43.0/24 192.168.44.0/24 192.168.45.0/24 192.168.46.0/24 192.168.47.0/24 192.168.48.0/24 192.168.49.0/24 192.168.50.0/24 192.168.51.0/24 192.168.52.0/24 192.168.53.0/24 192.168.54.0/24 192.168.55.0/24 192.168.56.0/24 192.168.57.0/24 192.168.58.0/24 192.168.59.0/24 192.168.60.0/24 192.168.61.0/24 192.168.62.0/24 192.168.63.0/24 192.168.64.0/24 192.168.65.0/24 192.168.66.0/24 192.168.67.0/24 192.168.68.0/24 192.168.69.0/24 192.168.70.0/24 192.168.71.0/24 192.168.72.0/24 192.168.73.0/24 192.168.74.0/24 192.168.75.0/24 192.168.76.0/24 192.168.77.0/24 192.168.78.0/24 192.168.79.0/24 192.168.80.0/24 192.168.81.0/24 192.168.82.0/24 192.168.83.0/24 192.168.84.0/24 192.168.85.0/24 192.168.86.0/24 192.168.87.0/24 192.168.88.0/24 192.168.89.0/24 192.168.90.0/24 192.168.91.0/24 192.168.92.0/24 192.168.93.0/24 192.168.94.0/24 192.168.95.0/24 192.168.96.0/24 192.168.97.0/24 192.168.98.0/24 192.168.99.0/24 192.168.100.0/24 192.168.101.0/24 192.168.102.0/24 192.168.103.0/24 192.168.104.0/24 192.168.105.0/24 192.168.106.0/24 192.168.107.0/24 192.168.108.0/24 192.168.109.0/24 192.168.110.0/24 192.168.111.0/24 192.168.112.0/24 192.168.113.0/24 192.168.114.0/24 192.168.115.0/24 192.168.116.0/24 192.168.117.0/24 192.168.118.0/24 192.168.119.0/24 192.168.120.0/24 192.168.121.0/24 192.168.122.0/24 192.168.123.0/24 192.168.124.0/24 192.168.125.0/24 192.168.126.0/24 192.168.127.0/24 192.168.128.0/24 192.168.129.0/24 192.168.130.0/24 192.168.131.0/24 192.168.132.0/24 192.168.133.0/24 192.168.134.0/24 192.168.135.0/24 192.168.136.0/24 192.168.137.0/24 192.168.138.0/24 192.168.139.0/24 192.168.140.0/24 192.168.141.0/24 192.168.142.0/24 192.168.143.0/24 192.168.144.0/24 192.168.145.0/24 192.168.146.0/24 192.168.147.0/24 192.168.148.0/24 192.168.149.0/24 192.168.150.0/24 192.168.151.0/24 192.168.152.0/24 192.168.153.0/24 192.168.154.0/24 192.168.155.0/24 192.168.156.0/24 192.168.157.0/24 192.168.158.0/24 192.168.159.0/24 192.168.160.0/24 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24 192.168.164.0/24 192.168.165.0/24 192.168.166.0/24 192.168.167.0/24 192.168.168.0/24 192.168.169.0/24 192.168.170.0/24 192.168.171.0/24 192.168.172.0/24 192.168.173.0/24 192.168.174.0/24 192.168.175.0/24 192.168.176.0/24 192.168.177.0/24 192.168.178.0/24 192.168.179.0/24 192.168.180.0/24 192.168.181.0/24 192.168.182.0/24 192.168.183.0/24 192.168.184.0/24 192.168.185.0/24 192.168.186.0/24 192.168.187.0/24 192.168.188.0/24 192.168.189.0/24 192.168.190.0/24 192.168.191.0/24 192.168.192.0/24 192.168.193.0/24 192.168.194.0/24 192.168.195.0/24 192.168.196.0/24 192.168.197.0/24 192.168.198.0/24 192.168.199.0/24 192.168.200.0/24 openshift.io/host.generated: "true" creationTimestamp: "2021-06-07T05:39:57Z" labels: name: service-unsecure name: service-unsecure-2 namespace: test1a resourceVersion: "87420" uid: 286c8acc-d9b0-4764-8c62-d0b4a9aae221 spec: host: service-unsecure-2-test1a.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com port: targetPort: http to: kind: Service name: service-unsecure weight: 100 wildcardPolicy: None status: ingress: - conditions: - lastTransitionTime: "2021-06-07T05:39:57Z" status: "True" type: Admitted host: service-unsecure-2-test1a.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com routerCanonicalHostname: router-internalapps.internalapps.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com routerName: internalapps wildcardPolicy: None - conditions: - lastTransitionTime: "2021-06-07T05:39:57Z" status: "True" type: Admitted host: service-unsecure-2-test1a.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com routerCanonicalHostname: router-default.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com routerName: default wildcardPolicy: None haproxy.config file entry: backend be_http:test1a:service-unsecure-2 mode http option redispatch option forwardfor balance acl whitelist src -f /var/lib/haproxy/router/whitelists/test1a:service-unsecure-2.txt tcp-request content reject if !whitelist oc -n openshift-ingress logs router-default-6dbff6bd9f-wmsc8 --tail 50 I0607 03:57:54.098280 1 template.go:437] router "msg"="starting router" "version"="majorFromGit: \nminorFromGit: \ncommitFromGit: 207d5463d341947133d344b352aef6abcd80a0c8\nversionFromGit: 4.0.0-306-g207d5463\ngitTreeState: clean\nbuildDate: 2021-06-03T20:48:55Z\n" I0607 03:57:54.101137 1 metrics.go:155] metrics "msg"="router health and metrics port listening on HTTP and HTTPS" "address"="0.0.0.0:1936" I0607 03:57:54.112697 1 router.go:191] template "msg"="creating a new template router" "writeDir"="/var/lib/haproxy" I0607 03:57:54.112793 1 router.go:270] template "msg"="router will coalesce reloads within an interval of each other" "interval"="5s" I0607 03:57:54.113382 1 router.go:332] template "msg"="watching for changes" "path"="/etc/pki/tls/private" I0607 03:57:54.113907 1 router.go:262] router "msg"="router is including routes in all namespaces" E0607 03:57:54.227757 1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory I0607 03:57:54.308490 1 router.go:579] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0607 03:57:59.366942 1 router.go:579] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0607 03:58:04.271629 1 router.go:579] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0607 03:58:09.283077 1 router.go:579] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0607 03:59:42.751598 1 router.go:579] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0607 03:59:47.752862 1 router.go:579] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0607 04:00:19.716065 1 router.go:579] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" -------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438