Bug 1988426 - [4.7] drop-icmp pod blocks direct SSH access to cluster nodes
Summary: [4.7] drop-icmp pod blocks direct SSH access to cluster nodes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: ---
: 4.7.z
Assignee: mcambria@redhat.com
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On: 1988425
Blocks: 1988427
TreeView+ depends on / blocked
 
Reported: 2021-07-30 14:04 UTC by mcambria@redhat.com
Modified: 2021-10-05 02:11 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1984449
Environment:
Last Closed: 2021-09-01 18:23:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 1170 0 None None None 2021-08-17 05:43:53 UTC
Red Hat Product Errata RHSA-2021:3262 0 None None None 2021-09-01 18:24:21 UTC

Comment 2 zhaozhanqi 2021-08-20 03:17:43 UTC
Verified this bug on 4.7.0-0.nightly-2021-08-19-235306

sh-4.4# ssh -i ca.pem core@10.0.0.5
The authenticity of host '10.0.0.5 (10.0.0.5)' can't be established.
ECDSA key fingerprint is SHA256:JrM2oyJKh3UX0+toqeLl2S1dGQLQ2+mzshMQg1W8ZL0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.5' (ECDSA) to the list of known hosts.
Red Hat Enterprise Linux CoreOS 47.84.202108181031-0
  Part of OpenShift 4.7, RHCOS is a Kubernetes native operating system
  managed by the Machine Config Operator (`clusteroperator/machine-config`).

WARNING: Direct SSH access to machines is not recommended; instead,
make configuration changes via `machineconfig` objects:
  https://docs.openshift.com/container-platform/4.7/architecture/architecture-rhcos.html

---
[core@zzhaoazure47-twdtz-master-1 ~]$ sudo -i
[root@zzhaoazure47-twdtz-master-1 ~]# iptables-save | grep AZUR 
:AZURE_CHECK_ICMP_SOURCE - [0:0]
:AZURE_ICMP_ACTION - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j AZURE_CHECK_ICMP_SOURCE
-A AZURE_CHECK_ICMP_SOURCE -s 10.0.0.6/32 -p icmp -j AZURE_ICMP_ACTION
-A AZURE_CHECK_ICMP_SOURCE -s 10.0.0.7/32 -p icmp -j AZURE_ICMP_ACTION
-A AZURE_CHECK_ICMP_SOURCE -s 10.0.0.5/32 -p icmp -j AZURE_ICMP_ACTION
-A AZURE_CHECK_ICMP_SOURCE -s 10.0.32.4/32 -p icmp -j AZURE_ICMP_ACTION
-A AZURE_CHECK_ICMP_SOURCE -s 10.0.32.6/32 -p icmp -j AZURE_ICMP_ACTION
-A AZURE_CHECK_ICMP_SOURCE -s 10.0.32.5/32 -p icmp -j AZURE_ICMP_ACTION
-A AZURE_ICMP_ACTION -j LOG
-A AZURE_ICMP_ACTION -j DROP

Comment 5 errata-xmlrpc 2021-09-01 18:23:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.7.28 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3262


Note You need to log in before you can comment on or make changes to this bug.