Bug 1988324 - OVN-Kubernetes EgressFirewall block API server , every egress firewall must allow essential accesses like the API endpoints [NEEDINFO]
Summary: OVN-Kubernetes EgressFirewall block API server , every egress firewall must a...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.7
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: Jason Boxman
QA Contact: huirwang
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-30 10:21 UTC by Immanuvel
Modified: 2022-07-29 11:07 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-24 12:22:33 UTC
Target Upstream Version:
huirwang: needinfo? (jtanenba)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-docs pull 35311 0 None None None 2021-08-06 22:43:32 UTC

Description Immanuvel 2021-07-30 10:21:42 UTC
Document URL: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/networking/ovn-kubernetes-default-cni-network-provider

Section Number and Name: 
14.2.2. Migrating to the OVN-Kubernetes default CNI network provider


Describe the issue: 

Customer followed the instructions to switch the SDN on our OpenShift 4.7 cluster to OVN-Kubernetes. Everything went fine until he converted  his EgressNetworkPolicy objects to EgressFirewall and then some components started failing to speak to the API server (including builds hanging).

1. On both customer old AWS cluster (4.7) that he converted to OVN-Kubernetes and a brand new AWS cluster (4.7) when he created EgressFirewall objects with a whitelist of allowed IPs access to the API server is blocked from pods in that projects. This is different to be behaviour of EgressNetworkPolicy, where access to the API server was implicitly granted. With EgressFirewall he need to manually add the IP addresses of the API servers, which is not documented and possibly fragile as they may change in the future.

2. This is quite difficult for him to do as the cluster is disconnected, but can supply a smaller amount of output.

3. EgressNetworkPolicy always allowed access to the API server. EgressFirewall doesn't. Therefore the two are not compatible. At the very least there needs to be a warning in the documentation.

Pablo Alonso Rodriguez also did some test in the cluster  but the connection to the API fails , so confirmed the issue is there even for us 

Suggestions for improvement: Needs some good explanation and describes about the compatibility , at least we need to  have some warning  message in the documentation 

Additional information:

Comment 4 Jason Boxman 2021-08-06 20:21:30 UTC
I've created a PR[0] to include this in the product documentation. Did I suggest the correct IP ranges? Does a user need to interrogate their cluster for their own specific IP address ranges for this? Thanks!

[0] https://github.com/openshift/openshift-docs/pull/35311

Comment 7 Immanuvel 2021-08-16 08:37:24 UTC
Hi Team,

Do we have  any concrete update on this please ?  so that i can  update  to the customer for the same 

The Doc needs to be updated but we also have  bug for OVN egressfirewall, as Huiran Wang mentioned API service IP should not be blocked by egressfirewall 

Thanks in Advance for your help

Regards
IMMANUVEL M

Comment 10 Mridul Markandey 2021-11-23 17:49:44 UTC
Hello Team,

I have a customer who has tried to implement the EgressNetworkPolicy in their OVN cluster by referring to the official documentation[1]. As per the workaround suggested in this Bugzilla, we have to manually add the IP address range that the API servers listen on in the egress firewall rules. But this is only a workaround and not a fix for the issue for which this Bugzilla was raised. A proper resolution of the Bugzilla could be a "solution of errata" so that in the upcoming versions, the customers don't have to manually do this task of adding IP address ranges. So, can you please let me know what is the present status of the Bugzilla? Are we still working on this issue? Any expected timeline, when this issue will be resolved? 

[1] https://docs.openshift.com/container-platform/4.8/networking/openshift_sdn/configuring-egress-firewall.html#nw-egressnetworkpolicy-about_openshift-sdn-egress-firewall

Let me know if you need any further data from the customer's environment? 

Regards,
Mridul Markandey

Comment 11 Jason Boxman 2021-11-24 00:30:26 UTC
Hi,

So it looks like the actual software fix for this is tracked in a separate BZ[0]. This BZ is related specifically to the documentation update, which is complete.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1993841

Comment 12 Mridul Markandey 2021-11-24 12:22:33 UTC
Hi Team,

@Jason, Thank you for your proactive response and for sharing the correct link. As this BZ is related to the documentation update, which was completed, you can close this BZ.

Appreciate your kind efforts.

Regards,
Mridul Markandey


Note You need to log in before you can comment on or make changes to this bug.