verified in "4.7.0-0.ci.test-2021-06-11-114745-ci-ln-d61bf32-latest" version. With this payload, it is observed that the router not fails when processing single routes with more than 64 whitelisted IPs: ------- oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.ci.test-2021-06-11-114745-ci-ln-d61bf32-latest True False 3m13s Cluster version is 4.7.0-0.ci.test-2021-06-11-114745-ci-ln-d61bf32-latest oc annotate route service-unsecure haproxy.router.openshift.io/ip_whitelist="192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 192.168.5.0/24 192.168.6.0/24 192.168.7.0/24 192.168.8.0/24 192.168.9.0/24 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 192.168.15.0/24 192.168.16.0/24 192.168.17.0/24 192.168.18.0/24 192.168.19.0/24 192.168.20.0/24 192.168.21.0/24 192.168.22.0/24 192.168.23.0/24 192.168.24.0/24 192.168.25.0/24 192.168.26.0/24 192.168.27.0/24 192.168.28.0/24 192.168.29.0/24 192.168.30.0/24 192.168.31.0/24 192.168.32.0/24 192.168.33.0/24 192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24 192.168.39.0/24 192.168.40.0/24 192.168.41.0/24 192.168.42.0/24 192.168.43.0/24 192.168.44.0/24 192.168.45.0/24 192.168.46.0/24 192.168.47.0/24 192.168.48.0/24 192.168.49.0/24 192.168.50.0/24 192.168.51.0/24 192.168.52.0/24 192.168.53.0/24 192.168.54.0/24 192.168.55.0/24 192.168.56.0/24 192.168.57.0/24 192.168.58.0/24 192.168.59.0/24 192.168.60.0/24 192.168.61.0/24 192.168.62.0/24 192.168.63.0/24 192.168.64.0/24 192.168.65.0/24 192.168.66.0/24 192.168.67.0/24 192.168.68.0/24 192.168.69.0/24 192.168.70.0/24 192.168.71.0/24 192.168.72.0/24 192.168.73.0/24 192.168.74.0/24 192.168.75.0/24 192.168.76.0/24 192.168.77.0/24 192.168.78.0/24 192.168.79.0/24 192.168.80.0/24 192.168.81.0/24 192.168.82.0/24 192.168.83.0/24 192.168.84.0/24 192.168.85.0/24 192.168.86.0/24 192.168.87.0/24 192.168.88.0/24 192.168.89.0/24 192.168.90.0/24 192.168.91.0/24 192.168.92.0/24 192.168.93.0/24 192.168.94.0/24 192.168.95.0/24 192.168.96.0/24 192.168.97.0/24 192.168.98.0/24 192.168.99.0/24 192.168.100.0/24 192.168.101.0/24 192.168.102.0/24 192.168.103.0/24 192.168.104.0/24 192.168.105.0/24 192.168.106.0/24 192.168.107.0/24 192.168.108.0/24 192.168.109.0/24 192.168.110.0/24 192.168.111.0/24 192.168.112.0/24 192.168.113.0/24 192.168.114.0/24 192.168.115.0/24 192.168.116.0/24 192.168.117.0/24 192.168.118.0/24 192.168.119.0/24 192.168.120.0/24 192.168.121.0/24 192.168.122.0/24 192.168.123.0/24 192.168.124.0/24 192.168.125.0/24 192.168.126.0/24 192.168.127.0/24 192.168.128.0/24 192.168.129.0/24 192.168.130.0/24 192.168.131.0/24 192.168.132.0/24 192.168.133.0/24 192.168.134.0/24 192.168.135.0/24 192.168.136.0/24 192.168.137.0/24 192.168.138.0/24 192.168.139.0/24 192.168.140.0/24 192.168.141.0/24 192.168.142.0/24 192.168.143.0/24 192.168.144.0/24 192.168.145.0/24 192.168.146.0/24 192.168.147.0/24 192.168.148.0/24 192.168.149.0/24" oc get route service-unsecure -o yaml ocapiVersion: route.openshift.io/v1 kind: Route metadata: annotations: haproxy.router.openshift.io/ip_whitelist: 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 192.168.5.0/24 192.168.6.0/24 192.168.7.0/24 192.168.8.0/24 192.168.9.0/24 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 192.168.15.0/24 192.168.16.0/24 192.168.17.0/24 192.168.18.0/24 192.168.19.0/24 192.168.20.0/24 192.168.21.0/24 192.168.22.0/24 192.168.23.0/24 192.168.24.0/24 192.168.25.0/24 192.168.26.0/24 192.168.27.0/24 192.168.28.0/24 192.168.29.0/24 192.168.30.0/24 192.168.31.0/24 192.168.32.0/24 192.168.33.0/24 192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24 192.168.39.0/24 192.168.40.0/24 192.168.41.0/24 192.168.42.0/24 192.168.43.0/24 192.168.44.0/24 192.168.45.0/24 192.168.46.0/24 192.168.47.0/24 192.168.48.0/24 192.168.49.0/24 192.168.50.0/24 192.168.51.0/24 192.168.52.0/24 192.168.53.0/24 192.168.54.0/24 192.168.55.0/24 192.168.56.0/24 192.168.57.0/24 192.168.58.0/24 192.168.59.0/24 192.168.60.0/24 192.168.61.0/24 192.168.62.0/24 192.168.63.0/24 192.168.64.0/24 192.168.65.0/24 192.168.66.0/24 192.168.67.0/24 192.168.68.0/24 192.168.69.0/24 192.168.70.0/24 192.168.71.0/24 192.168.72.0/24 192.168.73.0/24 192.168.74.0/24 192.168.75.0/24 192.168.76.0/24 192.168.77.0/24 192.168.78.0/24 192.168.79.0/24 192.168.80.0/24 192.168.81.0/24 192.168.82.0/24 192.168.83.0/24 192.168.84.0/24 192.168.85.0/24 192.168.86.0/24 192.168.87.0/24 192.168.88.0/24 192.168.89.0/24 192.168.90.0/24 192.168.91.0/24 192.168.92.0/24 192.168.93.0/24 192.168.94.0/24 192.168.95.0/24 192.168.96.0/24 192.168.97.0/24 192.168.98.0/24 192.168.99.0/24 192.168.100.0/24 192.168.101.0/24 192.168.102.0/24 192.168.103.0/24 192.168.104.0/24 192.168.105.0/24 192.168.106.0/24 192.168.107.0/24 192.168.108.0/24 192.168.109.0/24 192.168.110.0/24 192.168.111.0/24 192.168.112.0/24 192.168.113.0/24 192.168.114.0/24 192.168.115.0/24 192.168.116.0/24 192.168.117.0/24 192.168.118.0/24 192.168.119.0/24 192.168.120.0/24 192.168.121.0/24 192.168.122.0/24 192.168.123.0/24 192.168.124.0/24 192.168.125.0/24 192.168.126.0/24 192.168.127.0/24 192.168.128.0/24 192.168.129.0/24 192.168.130.0/24 192.168.131.0/24 192.168.132.0/24 192.168.133.0/24 192.168.134.0/24 192.168.135.0/24 192.168.136.0/24 192.168.137.0/24 192.168.138.0/24 192.168.139.0/24 192.168.140.0/24 192.168.141.0/24 192.168.142.0/24 192.168.143.0/24 192.168.144.0/24 192.168.145.0/24 192.168.146.0/24 192.168.147.0/24 192.168.148.0/24 192.168.149.0/24 openshift.io/host.generated: "true" creationTimestamp: "2021-06-11T12:26:19Z" labels: name: service-unsecure name: service-unsecure namespace: test1 resourceVersion: "30778" uid: a6773cda-6d19-4c2c-9dac-7c1537971468 spec: host: service-unsecure-test1.apps.ci-ln-d61bf32-f76d1.origin-ci-int-gce.dev.openshift.com port: targetPort: http to: kind: Service name: service-unsecure weight: 100 wildcardPolicy: None status: ingress: - conditions: - lastTransitionTime: "2021-06-11T12:26:19Z" status: "True" type: Admitted host: service-unsecure-test1.apps.ci-ln-d61bf32-f76d1.origin-ci-int-gce.dev.openshift.com routerCanonicalHostname: apps.ci-ln-d61bf32-f76d1.origin-ci-int-gce.dev.openshift.com routerName: default wildcardPolicy: None oc -nopenshift-ingress logs router-default-6484db9658-g7l7c I0611 12:07:40.991761 1 template.go:433] router "msg"="starting router" "version"="majorFromGit: \nminorFromGit: \ncommitFromGit: 53d02000\nversionFromGit: v0.0.0-unknown\ngitTreeState: dirty\nbuildDate: 2021-06-11T11:41:46Z\n" I0611 12:07:40.994909 1 metrics.go:154] metrics "msg"="router health and metrics port listening on HTTP and HTTPS" "address"="0.0.0.0:1936" I0611 12:07:41.003342 1 router.go:191] template "msg"="creating a new template router" "writeDir"="/var/lib/haproxy" I0611 12:07:41.003431 1 router.go:270] template "msg"="router will coalesce reloads within an interval of each other" "interval"="5s" I0611 12:07:41.004086 1 router.go:332] template "msg"="watching for changes" "path"="/etc/pki/tls/private" I0611 12:07:41.004180 1 router.go:262] router "msg"="router is including routes in all namespaces" E0611 12:07:41.115400 1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory I0611 12:07:41.194641 1 router.go:579] template "msg"="router reloaded" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0611 12:07:46.146599 1 router.go:579] template "msg"="router reloaded" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0611 12:07:59.985648 1 router.go:579] template "msg"="router reloaded" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0611 12:08:04.965102 1 router.go:579] template "msg"="router reloaded" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0611 12:08:09.971338 1 router.go:579] template "msg"="router reloaded" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0611 12:08:19.059073 1 router.go:579] template "msg"="router reloaded" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0611 12:08:24.033469 1 router.go:579] template "msg"="router reloaded" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0611 12:08:44.691687 1 router.go:579] template "msg"="router reloaded" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0611 12:08:49.687324 1 router.go:579] template "msg"="router reloaded" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0611 12:09:46.587138 1 router.go:579] template "msg"="router reloaded" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" haproxy configuration file with the "acl" txt file added: backend be_http:test1:service-unsecure mode http option redispatch option forwardfor balance leastconn acl whitelist src -f /var/lib/haproxy/router/whitelists/test1:service-unsecure.txt tcp-request content reject if !whitelist -------
The bug has already been verified via pre-merge workflow. Hence manually setting the status to reflect the same.
OpenShift engineering has decided to not ship Red Hat OpenShift Container Platform 4.7.17 due a regression https://bugzilla.redhat.com/show_bug.cgi?id=1973006. All the fixes which were part of 4.7.17 will be now part of 4.7.18 and planned to be available in candidate channel on June 23 2021 and in fast channel on June 28th.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.7.18 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2502