Bug 1971013 - Bulk adding of CIDR IPS to whitelist is not working
Summary: Bulk adding of CIDR IPS to whitelist is not working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.z
Assignee: Andrey Lebedev
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On: 1967733
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-11 16:29 UTC by OpenShift BugZilla Robot
Modified: 2022-08-04 22:32 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-29 06:26:18 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift router pull 303 0 None open [release-4.6] Bug 1971013: template helper - generateHAProxyWhiteListFile, use right arg type 2021-06-11 19:32:10 UTC
Red Hat Product Errata RHBA-2021:2498 0 None None None 2021-06-29 06:26:21 UTC

Comment 1 Arvind iyengar 2021-06-15 05:24:08 UTC
verified in "4.6.0-0.ci.test-2021-06-15-041108-ci-ln-p8xsnmt-latest" version. With this payload, it is observed that the router not fails when processing single routes with more than 64 whitelisted IPs:
-------
NAME      VERSION                                                  AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.ci.test-2021-06-15-041108-ci-ln-p8xsnmt-latest   True        False         29m     Cluster version is 4.6.0-0.ci.test-2021-06-15-041108-ci-ln-p8xsnmt-latest


oc annotate route service-unsecure haproxy.router.openshift.io/ip_whitelist="192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 192.168.5.0/24 192.168.6.0/24 192.168.7.0/24 192.168.8.0/24 192.168.9.0/24 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 192.168.15.0/24 192.168.16.0/24 192.168.17.0/24 192.168.18.0/24 192.168.19.0/24 192.168.20.0/24 192.168.21.0/24 192.168.22.0/24 192.168.23.0/24 192.168.24.0/24 192.168.25.0/24 192.168.26.0/24 192.168.27.0/24 192.168.28.0/24 192.168.29.0/24 192.168.30.0/24 192.168.31.0/24 192.168.32.0/24 192.168.33.0/24 192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24 192.168.39.0/24 192.168.40.0/24 192.168.41.0/24 192.168.42.0/24 192.168.43.0/24 192.168.44.0/24 192.168.45.0/24 192.168.46.0/24 192.168.47.0/24 192.168.48.0/24 192.168.49.0/24 192.168.50.0/24 192.168.51.0/24 192.168.52.0/24 192.168.53.0/24 192.168.54.0/24 192.168.55.0/24 192.168.56.0/24 192.168.57.0/24 192.168.58.0/24 192.168.59.0/24 192.168.60.0/24 192.168.61.0/24 192.168.62.0/24 192.168.63.0/24 192.168.64.0/24 192.168.65.0/24 192.168.66.0/24 192.168.67.0/24 192.168.68.0/24 192.168.69.0/24 192.168.70.0/24 192.168.71.0/24 192.168.72.0/24 192.168.73.0/24 192.168.74.0/24 192.168.75.0/24 192.168.76.0/24 192.168.77.0/24 192.168.78.0/24 192.168.79.0/24 192.168.80.0/24 192.168.81.0/24 192.168.82.0/24 192.168.83.0/24 192.168.84.0/24 192.168.85.0/24 192.168.86.0/24 192.168.87.0/24 192.168.88.0/24 192.168.89.0/24 192.168.90.0/24 192.168.91.0/24 192.168.92.0/24 192.168.93.0/24 192.168.94.0/24 192.168.95.0/24 192.168.96.0/24 192.168.97.0/24 192.168.98.0/24 192.168.99.0/24 192.168.100.0/24 192.168.101.0/24 192.168.102.0/24 192.168.103.0/24 192.168.104.0/24 192.168.105.0/24 192.168.106.0/24 192.168.107.0/24 192.168.108.0/24 192.168.109.0/24 192.168.110.0/24 192.168.111.0/24 192.168.112.0/24 192.168.113.0/24 192.168.114.0/24 192.168.115.0/24 192.168.116.0/24 192.168.117.0/24 192.168.118.0/24 192.168.119.0/24 192.168.120.0/24 192.168.121.0/24 192.168.122.0/24 192.168.123.0/24 192.168.124.0/24 192.168.125.0/24 192.168.126.0/24 192.168.127.0/24 192.168.128.0/24 192.168.129.0/24 192.168.130.0/24 192.168.131.0/24 192.168.132.0/24 192.168.133.0/24 192.168.134.0/24 192.168.135.0/24 192.168.136.0/24 192.168.137.0/24 192.168.138.0/24 192.168.139.0/24 192.168.140.0/24 192.168.141.0/24 192.168.142.0/24 192.168.143.0/24 192.168.144.0/24 192.168.145.0/24 192.168.146.0/24 192.168.147.0/24 192.168.148.0/24 192.168.149.0/24"
route.route.openshift.io/service-unsecure annotated

oc get route service-unsecure -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/ip_whitelist: 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
      192.168.3.0/24 192.168.4.0/24 192.168.5.0/24 192.168.6.0/24 192.168.7.0/24 192.168.8.0/24
      192.168.9.0/24 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24
      192.168.14.0/24 192.168.15.0/24 192.168.16.0/24 192.168.17.0/24 192.168.18.0/24
      192.168.19.0/24 192.168.20.0/24 192.168.21.0/24 192.168.22.0/24 192.168.23.0/24
      192.168.24.0/24 192.168.25.0/24 192.168.26.0/24 192.168.27.0/24 192.168.28.0/24
      192.168.29.0/24 192.168.30.0/24 192.168.31.0/24 192.168.32.0/24 192.168.33.0/24
      192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24
      192.168.39.0/24 192.168.40.0/24 192.168.41.0/24 192.168.42.0/24 192.168.43.0/24
      192.168.44.0/24 192.168.45.0/24 192.168.46.0/24 192.168.47.0/24 192.168.48.0/24
      192.168.49.0/24 192.168.50.0/24 192.168.51.0/24 192.168.52.0/24 192.168.53.0/24
      192.168.54.0/24 192.168.55.0/24 192.168.56.0/24 192.168.57.0/24 192.168.58.0/24
      192.168.59.0/24 192.168.60.0/24 192.168.61.0/24 192.168.62.0/24 192.168.63.0/24
      192.168.64.0/24 192.168.65.0/24 192.168.66.0/24 192.168.67.0/24 192.168.68.0/24
      192.168.69.0/24 192.168.70.0/24 192.168.71.0/24 192.168.72.0/24 192.168.73.0/24
      192.168.74.0/24 192.168.75.0/24 192.168.76.0/24 192.168.77.0/24 192.168.78.0/24
      192.168.79.0/24 192.168.80.0/24 192.168.81.0/24 192.168.82.0/24 192.168.83.0/24
      192.168.84.0/24 192.168.85.0/24 192.168.86.0/24 192.168.87.0/24 192.168.88.0/24
      192.168.89.0/24 192.168.90.0/24 192.168.91.0/24 192.168.92.0/24 192.168.93.0/24
      192.168.94.0/24 192.168.95.0/24 192.168.96.0/24 192.168.97.0/24 192.168.98.0/24
      192.168.99.0/24 192.168.100.0/24 192.168.101.0/24 192.168.102.0/24 192.168.103.0/24
      192.168.104.0/24 192.168.105.0/24 192.168.106.0/24 192.168.107.0/24 192.168.108.0/24
      192.168.109.0/24 192.168.110.0/24 192.168.111.0/24 192.168.112.0/24 192.168.113.0/24
      192.168.114.0/24 192.168.115.0/24 192.168.116.0/24 192.168.117.0/24 192.168.118.0/24
      192.168.119.0/24 192.168.120.0/24 192.168.121.0/24 192.168.122.0/24 192.168.123.0/24
      192.168.124.0/24 192.168.125.0/24 192.168.126.0/24 192.168.127.0/24 192.168.128.0/24
      192.168.129.0/24 192.168.130.0/24 192.168.131.0/24 192.168.132.0/24 192.168.133.0/24
      192.168.134.0/24 192.168.135.0/24 192.168.136.0/24 192.168.137.0/24 192.168.138.0/24
      192.168.139.0/24 192.168.140.0/24 192.168.141.0/24 192.168.142.0/24 192.168.143.0/24
      192.168.144.0/24 192.168.145.0/24 192.168.146.0/24 192.168.147.0/24 192.168.148.0/24
      192.168.149.0/24
    openshift.io/host.generated: "true"
  creationTimestamp: "2021-06-15T05:08:38Z"
  labels:
    name: service-unsecure
  name: service-unsecure
  namespace: test1
  resourceVersion: "31845"
  selfLink: /apis/route.openshift.io/v1/namespaces/test1/routes/service-unsecure
  uid: ebacdf9e-4040-4121-95d5-cf89832d3d4a
spec:
  host: service-unsecure-test1.apps.ci-ln-p8xsnmt-f76d1.origin-ci-int-gce.dev.openshift.com
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2021-06-15T05:08:39Z"
      status: "True"
      type: Admitted
    host: service-unsecure-test1.apps.ci-ln-p8xsnmt-f76d1.origin-ci-int-gce.dev.openshift.com
    routerCanonicalHostname: apps.ci-ln-p8xsnmt-f76d1.origin-ci-int-gce.dev.openshift.com
    routerName: default
    wildcardPolicy: None


Haproxy configuration file:
backend be_http:test1:service-unsecure
  mode http
  option redispatch
  option forwardfor
  balance leastconn
  acl whitelist src -f /var/lib/haproxy/router/whitelists/test1:service-unsecure.txt
  tcp-request content reject if !whitelist
-------

Comment 5 errata-xmlrpc 2021-06-29 06:26:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.36 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2498


Note You need to log in before you can comment on or make changes to this bug.