Bug 1984565 - Ipv6 IP addresses are not accepted for whitelisting
Summary: Ipv6 IP addresses are not accepted for whitelisting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.8.z
Assignee: Andrey Lebedev
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On: 1964482
Blocks: 1994645
TreeView+ depends on / blocked
 
Reported: 2021-07-21 16:07 UTC by OpenShift BugZilla Robot
Modified: 2021-08-17 15:45 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-10 11:28:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift router pull 321 0 None open [release-4.8] Bug 1984565: config template: accept IPv6 IPs for whitelisting 2021-07-22 17:48:20 UTC
Red Hat Product Errata RHSA-2021:2983 0 None None None 2021-08-10 11:29:27 UTC

Comment 1 Arvind iyengar 2021-07-28 13:52:07 UTC
Verified in "4.8.0-0.ci.test-2021-07-28-122806-ci-ln-1kfykdt-latest" version. With this version, it is observed that the ipv6 whitelist configuration gets added in the router backend for which the annotation is applied:
------
oc get clusterversion                        
NAME      VERSION                                                  AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.ci.test-2021-07-28-122806-ci-ln-1kfykdt-latest   True        False         29m     Cluster version is 4.8.0-0.ci.test-2021-07-28-122806-ci-ln-1kfykdt-latest

oc get route service-unsecure -o yaml  
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/ip_whitelist: 2600:14a0::/40
    openshift.io/host.generated: "true"
  creationTimestamp: "2021-07-28T13:38:06Z"
  labels:
    name: service-unsecure
  name: service-unsecure
  namespace: test1
  resourceVersion: "47701"
  uid: eab5deed-967b-4d02-a278-f4b986a9dcf0


haproxy pod:
backend be_http:test1:service-unsecure
  mode http
  option redispatch
  option forwardfor
  balance
  acl whitelist src 2600:14a0::/40
  tcp-request content reject if !whitelist <-----
------

Comment 5 errata-xmlrpc 2021-08-10 11:28:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.4 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2983


Note You need to log in before you can comment on or make changes to this bug.