Bug 1967733 - Bulk adding of CIDR IPS to whitelist is not working
Summary: Bulk adding of CIDR IPS to whitelist is not working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.7.z
Assignee: Andrey Lebedev
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On: 1964486
Blocks: 1971013
TreeView+ depends on / blocked
 
Reported: 2021-06-03 17:51 UTC by OpenShift BugZilla Robot
Modified: 2022-08-04 22:32 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-29 04:19:45 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift router pull 297 0 None open [release-4.7] Bug 1967733: template helper - generateHAProxyWhiteListFile, use right arg type 2021-06-08 01:00:53 UTC
Red Hat Product Errata RHBA-2021:2502 0 None None None 2021-06-29 04:20:08 UTC

Comment 1 Arvind iyengar 2021-06-11 12:32:12 UTC
verified in "4.7.0-0.ci.test-2021-06-11-114745-ci-ln-d61bf32-latest" version. With this payload, it is observed that the router not fails when processing single routes with more than 64 whitelisted IPs:
-------
oc get clusterversion    
NAME      VERSION                                                  AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.ci.test-2021-06-11-114745-ci-ln-d61bf32-latest   True        False         3m13s   Cluster version is 4.7.0-0.ci.test-2021-06-11-114745-ci-ln-d61bf32-latest

oc annotate route service-unsecure haproxy.router.openshift.io/ip_whitelist="192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 192.168.5.0/24 192.168.6.0/24 192.168.7.0/24 192.168.8.0/24 192.168.9.0/24 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 192.168.15.0/24 192.168.16.0/24 192.168.17.0/24 192.168.18.0/24 192.168.19.0/24 192.168.20.0/24 192.168.21.0/24 192.168.22.0/24 192.168.23.0/24 192.168.24.0/24 192.168.25.0/24 192.168.26.0/24 192.168.27.0/24 192.168.28.0/24 192.168.29.0/24 192.168.30.0/24 192.168.31.0/24 192.168.32.0/24 192.168.33.0/24 192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24 192.168.39.0/24 192.168.40.0/24 192.168.41.0/24 192.168.42.0/24 192.168.43.0/24 192.168.44.0/24 192.168.45.0/24 192.168.46.0/24 192.168.47.0/24 192.168.48.0/24 192.168.49.0/24 192.168.50.0/24 192.168.51.0/24 192.168.52.0/24 192.168.53.0/24 192.168.54.0/24 192.168.55.0/24 192.168.56.0/24 192.168.57.0/24 192.168.58.0/24 192.168.59.0/24 192.168.60.0/24 192.168.61.0/24 192.168.62.0/24 192.168.63.0/24 192.168.64.0/24 192.168.65.0/24 192.168.66.0/24 192.168.67.0/24 192.168.68.0/24 192.168.69.0/24 192.168.70.0/24 192.168.71.0/24 192.168.72.0/24 192.168.73.0/24 192.168.74.0/24 192.168.75.0/24 192.168.76.0/24 192.168.77.0/24 192.168.78.0/24 192.168.79.0/24 192.168.80.0/24 192.168.81.0/24 192.168.82.0/24 192.168.83.0/24 192.168.84.0/24 192.168.85.0/24 192.168.86.0/24 192.168.87.0/24 192.168.88.0/24 192.168.89.0/24 192.168.90.0/24 192.168.91.0/24 192.168.92.0/24 192.168.93.0/24 192.168.94.0/24 192.168.95.0/24 192.168.96.0/24 192.168.97.0/24 192.168.98.0/24 192.168.99.0/24 192.168.100.0/24 192.168.101.0/24 192.168.102.0/24 192.168.103.0/24 192.168.104.0/24 192.168.105.0/24 192.168.106.0/24 192.168.107.0/24 192.168.108.0/24 192.168.109.0/24 192.168.110.0/24 192.168.111.0/24 192.168.112.0/24 192.168.113.0/24 192.168.114.0/24 192.168.115.0/24 192.168.116.0/24 192.168.117.0/24 192.168.118.0/24 192.168.119.0/24 192.168.120.0/24 192.168.121.0/24 192.168.122.0/24 192.168.123.0/24 192.168.124.0/24 192.168.125.0/24 192.168.126.0/24 192.168.127.0/24 192.168.128.0/24 192.168.129.0/24 192.168.130.0/24 192.168.131.0/24 192.168.132.0/24 192.168.133.0/24 192.168.134.0/24 192.168.135.0/24 192.168.136.0/24 192.168.137.0/24 192.168.138.0/24 192.168.139.0/24 192.168.140.0/24 192.168.141.0/24 192.168.142.0/24 192.168.143.0/24 192.168.144.0/24 192.168.145.0/24 192.168.146.0/24 192.168.147.0/24 192.168.148.0/24 192.168.149.0/24"


oc get route service-unsecure -o yaml 
ocapiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/ip_whitelist: 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
      192.168.3.0/24 192.168.4.0/24 192.168.5.0/24 192.168.6.0/24 192.168.7.0/24 192.168.8.0/24
      192.168.9.0/24 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24
      192.168.14.0/24 192.168.15.0/24 192.168.16.0/24 192.168.17.0/24 192.168.18.0/24
      192.168.19.0/24 192.168.20.0/24 192.168.21.0/24 192.168.22.0/24 192.168.23.0/24
      192.168.24.0/24 192.168.25.0/24 192.168.26.0/24 192.168.27.0/24 192.168.28.0/24
      192.168.29.0/24 192.168.30.0/24 192.168.31.0/24 192.168.32.0/24 192.168.33.0/24
      192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24
      192.168.39.0/24 192.168.40.0/24 192.168.41.0/24 192.168.42.0/24 192.168.43.0/24
      192.168.44.0/24 192.168.45.0/24 192.168.46.0/24 192.168.47.0/24 192.168.48.0/24
      192.168.49.0/24 192.168.50.0/24 192.168.51.0/24 192.168.52.0/24 192.168.53.0/24
      192.168.54.0/24 192.168.55.0/24 192.168.56.0/24 192.168.57.0/24 192.168.58.0/24
      192.168.59.0/24 192.168.60.0/24 192.168.61.0/24 192.168.62.0/24 192.168.63.0/24
      192.168.64.0/24 192.168.65.0/24 192.168.66.0/24 192.168.67.0/24 192.168.68.0/24
      192.168.69.0/24 192.168.70.0/24 192.168.71.0/24 192.168.72.0/24 192.168.73.0/24
      192.168.74.0/24 192.168.75.0/24 192.168.76.0/24 192.168.77.0/24 192.168.78.0/24
      192.168.79.0/24 192.168.80.0/24 192.168.81.0/24 192.168.82.0/24 192.168.83.0/24
      192.168.84.0/24 192.168.85.0/24 192.168.86.0/24 192.168.87.0/24 192.168.88.0/24
      192.168.89.0/24 192.168.90.0/24 192.168.91.0/24 192.168.92.0/24 192.168.93.0/24
      192.168.94.0/24 192.168.95.0/24 192.168.96.0/24 192.168.97.0/24 192.168.98.0/24
      192.168.99.0/24 192.168.100.0/24 192.168.101.0/24 192.168.102.0/24 192.168.103.0/24
      192.168.104.0/24 192.168.105.0/24 192.168.106.0/24 192.168.107.0/24 192.168.108.0/24
      192.168.109.0/24 192.168.110.0/24 192.168.111.0/24 192.168.112.0/24 192.168.113.0/24
      192.168.114.0/24 192.168.115.0/24 192.168.116.0/24 192.168.117.0/24 192.168.118.0/24
      192.168.119.0/24 192.168.120.0/24 192.168.121.0/24 192.168.122.0/24 192.168.123.0/24
      192.168.124.0/24 192.168.125.0/24 192.168.126.0/24 192.168.127.0/24 192.168.128.0/24
      192.168.129.0/24 192.168.130.0/24 192.168.131.0/24 192.168.132.0/24 192.168.133.0/24
      192.168.134.0/24 192.168.135.0/24 192.168.136.0/24 192.168.137.0/24 192.168.138.0/24
      192.168.139.0/24 192.168.140.0/24 192.168.141.0/24 192.168.142.0/24 192.168.143.0/24
      192.168.144.0/24 192.168.145.0/24 192.168.146.0/24 192.168.147.0/24 192.168.148.0/24
      192.168.149.0/24
    openshift.io/host.generated: "true"
  creationTimestamp: "2021-06-11T12:26:19Z"
  labels:
    name: service-unsecure
  name: service-unsecure
  namespace: test1
  resourceVersion: "30778"
  uid: a6773cda-6d19-4c2c-9dac-7c1537971468
spec:
  host: service-unsecure-test1.apps.ci-ln-d61bf32-f76d1.origin-ci-int-gce.dev.openshift.com
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2021-06-11T12:26:19Z"
      status: "True"
      type: Admitted
    host: service-unsecure-test1.apps.ci-ln-d61bf32-f76d1.origin-ci-int-gce.dev.openshift.com
    routerCanonicalHostname: apps.ci-ln-d61bf32-f76d1.origin-ci-int-gce.dev.openshift.com
    routerName: default
    wildcardPolicy: None
    

oc -nopenshift-ingress logs  router-default-6484db9658-g7l7c
I0611 12:07:40.991761       1 template.go:433] router "msg"="starting router"  "version"="majorFromGit: \nminorFromGit: \ncommitFromGit: 53d02000\nversionFromGit: v0.0.0-unknown\ngitTreeState: dirty\nbuildDate: 2021-06-11T11:41:46Z\n"
I0611 12:07:40.994909       1 metrics.go:154] metrics "msg"="router health and metrics port listening on HTTP and HTTPS"  "address"="0.0.0.0:1936"
I0611 12:07:41.003342       1 router.go:191] template "msg"="creating a new template router"  "writeDir"="/var/lib/haproxy"
I0611 12:07:41.003431       1 router.go:270] template "msg"="router will coalesce reloads within an interval of each other"  "interval"="5s"
I0611 12:07:41.004086       1 router.go:332] template "msg"="watching for changes"  "path"="/etc/pki/tls/private"
I0611 12:07:41.004180       1 router.go:262] router "msg"="router is including routes in all namespaces"  
E0611 12:07:41.115400       1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory
I0611 12:07:41.194641       1 router.go:579] template "msg"="router reloaded"  "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0611 12:07:46.146599       1 router.go:579] template "msg"="router reloaded"  "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0611 12:07:59.985648       1 router.go:579] template "msg"="router reloaded"  "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0611 12:08:04.965102       1 router.go:579] template "msg"="router reloaded"  "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0611 12:08:09.971338       1 router.go:579] template "msg"="router reloaded"  "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0611 12:08:19.059073       1 router.go:579] template "msg"="router reloaded"  "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0611 12:08:24.033469       1 router.go:579] template "msg"="router reloaded"  "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0611 12:08:44.691687       1 router.go:579] template "msg"="router reloaded"  "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0611 12:08:49.687324       1 router.go:579] template "msg"="router reloaded"  "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0611 12:09:46.587138       1 router.go:579] template "msg"="router reloaded"  "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"


haproxy configuration file with the "acl" txt file added:
backend be_http:test1:service-unsecure
  mode http
  option redispatch
  option forwardfor
  balance leastconn
  acl whitelist src -f /var/lib/haproxy/router/whitelists/test1:service-unsecure.txt
  tcp-request content reject if !whitelist

-------

Comment 4 Arvind iyengar 2021-06-15 05:35:25 UTC
The bug has already been verified via pre-merge workflow. Hence manually setting the status to reflect the same.

Comment 5 OpenShift Automated Release Tooling 2021-06-17 12:29:08 UTC
OpenShift engineering has decided to not ship Red Hat OpenShift Container Platform 4.7.17 due a regression https://bugzilla.redhat.com/show_bug.cgi?id=1973006. All the fixes which were part of 4.7.17 will be now part of 4.7.18 and planned to be available in candidate channel on June 23 2021 and in fast channel on June 28th.

Comment 9 errata-xmlrpc 2021-06-29 04:19:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2502


Note You need to log in before you can comment on or make changes to this bug.