Bug 1988324 - OVN-Kubernetes EgressFirewall block API server , every egress firewall must allow essential accesses like the API endpoints [NEEDINFO]
Summary: OVN-Kubernetes EgressFirewall block API server , every egress firewall must a...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.7
Hardware: Unspecified
OS: Linux
Target Milestone: ---
: ---
Assignee: Jason Boxman
QA Contact: huirwang
Vikram Goyal
Depends On:
TreeView+ depends on / blocked
Reported: 2021-07-30 10:21 UTC by Immanuvel
Modified: 2021-09-15 03:06 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:
huirwang: needinfo? (jtanenba)

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift openshift-docs pull 35311 0 None None None 2021-08-06 22:43:32 UTC

Description Immanuvel 2021-07-30 10:21:42 UTC
Document URL: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/networking/ovn-kubernetes-default-cni-network-provider

Section Number and Name: 
14.2.2. Migrating to the OVN-Kubernetes default CNI network provider

Describe the issue: 

Customer followed the instructions to switch the SDN on our OpenShift 4.7 cluster to OVN-Kubernetes. Everything went fine until he converted  his EgressNetworkPolicy objects to EgressFirewall and then some components started failing to speak to the API server (including builds hanging).

1. On both customer old AWS cluster (4.7) that he converted to OVN-Kubernetes and a brand new AWS cluster (4.7) when he created EgressFirewall objects with a whitelist of allowed IPs access to the API server is blocked from pods in that projects. This is different to be behaviour of EgressNetworkPolicy, where access to the API server was implicitly granted. With EgressFirewall he need to manually add the IP addresses of the API servers, which is not documented and possibly fragile as they may change in the future.

2. This is quite difficult for him to do as the cluster is disconnected, but can supply a smaller amount of output.

3. EgressNetworkPolicy always allowed access to the API server. EgressFirewall doesn't. Therefore the two are not compatible. At the very least there needs to be a warning in the documentation.

Pablo Alonso Rodriguez also did some test in the cluster  but the connection to the API fails , so confirmed the issue is there even for us 

Suggestions for improvement: Needs some good explanation and describes about the compatibility , at least we need to  have some warning  message in the documentation 

Additional information:

Comment 4 Jason Boxman 2021-08-06 20:21:30 UTC
I've created a PR[0] to include this in the product documentation. Did I suggest the correct IP ranges? Does a user need to interrogate their cluster for their own specific IP address ranges for this? Thanks!

[0] https://github.com/openshift/openshift-docs/pull/35311

Comment 7 Immanuvel 2021-08-16 08:37:24 UTC
Hi Team,

Do we have  any concrete update on this please ?  so that i can  update  to the customer for the same 

The Doc needs to be updated but we also have  bug for OVN egressfirewall, as Huiran Wang mentioned API service IP should not be blocked by egressfirewall 

Thanks in Advance for your help


Note You need to log in before you can comment on or make changes to this bug.