1989423 – Enable back `[sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it`

Bug 1989423 - Enable back `[sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it`

Summary: Enable back `[sig-network-edge][Conformance][Area:Networking][Feature:Router]...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.9.0
Assignee:	jamo luhrsen
QA Contact:	Ying Wang
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1995505 (view as bug list)
Depends On:	1996160
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-03 08:11 UTC by Maciej Szulik
Modified:	2021-10-18 17:44 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-18 17:44:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift origin pull 26405	0	None	None	None	2021-08-31 16:18:28 UTC
Red Hat Product Errata	RHSA-2021:3759	0	None	None	None	2021-10-18 17:44:18 UTC

Description Maciej Szulik 2021-08-03 08:11:21 UTC

To land k8s bump (https://github.com/openshift/kubernetes/pull/862) I've disabled:
- `[sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it`

in openshift/origin

Additional info:

It looks like endpoints write access was removed in https://github.com/kubernetes/kubernetes/pull/103704 to partially prevent https://github.com/kubernetes/kubernetes/issues/103675 we need to figure out how we want to handle this one.

Comment 1 Dan Winship 2021-08-20 17:52:15 UTC

(In reply to Maciej Szulik from comment #0)
> It looks like endpoints write access was removed in
> https://github.com/kubernetes/kubernetes/pull/103704 to partially prevent
> https://github.com/kubernetes/kubernetes/issues/103675 we need to figure out
> how we want to handle this one.

OCP should not be vulnerable to that CVE anyway because of the RestrictedEndpointsController

cluster-kube-apiserver-operator observes the cluster configuration to mark all pod and service CIDRs as restricted: https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/pkg/operator/configobservation/network/observe_network.go#L53

and then kube-apiserver rejects Endpoints creation/modification by non-cluster-admin users if the Endpoints points to a restricted IP.

Of course, we need to be doing that for EndpointSlice now too...

Comment 2 Alexander Constantinescu 2021-08-23 15:05:35 UTC

*** Bug 1995505 has been marked as a duplicate of this bug. ***

Comment 3 Dan Winship 2021-08-25 19:26:56 UTC

*** Bug 1995505 has been marked as a duplicate of this bug. ***

Comment 4 Dan Winship 2021-08-31 15:08:05 UTC

Sorry, I screwed up the bug tracking on this and there ended up being no bug for "re-enable Endpoints permissions". But that's re-enabled now (https://github.com/openshift/kubernetes/pull/908), so this bug should be able to move forward.

Comment 7 zhaozhanqi 2021-09-02 08:26:24 UTC

Verified this bug by checking https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.9-e2e-aws/1433153705493925888

Comment 8 Ying Wang 2021-09-02 11:13:43 UTC

Checked on version 4.9.0-0.nightly-2021-09-01-193941, created a service and idled it. After sent traffic to this service, it can be unidled.

% oc get service
NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)     AGE
test-service   ClusterIP   172.30.200.28   <none>        27017/TCP   9m49s

% oc get pods     
NAME            READY   STATUS    RESTARTS   AGE
hello-pod       1/1     Running   0          9m53s
test-rc-9nvv9   1/1     Running   0          5m59s
test-rc-cjdmz   1/1     Running   0          5m59s
% oc idle test-service
WARNING: idling when network policies are in place may cause connections to bypass network policy entirely
The service "yckg4/test-service" has been marked as idled 
The service will unidle ReplicationController "yckg4/test-rc" to 2 replicas once it receives traffic 
ReplicationController "yckg4/test-rc" has been idled 
% oc get service
NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)     AGE
test-service   ClusterIP   172.30.200.28   <none>        27017/TCP   10m
% oc describe service
Name:              test-service
Namespace:         yckg4
Labels:            name=test-service
Annotations:       idling.alpha.openshift.io/idled-at: 2021-09-02T11:08:28Z
                   idling.alpha.openshift.io/unidle-targets: [{"kind":"ReplicationController","name":"test-rc","replicas":2}]
Selector:          name=test-pods
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                172.30.200.28
IPs:               172.30.200.28
Port:              http  27017/TCP
TargetPort:        8080/TCP
Endpoints:         <none>
Session Affinity:  None
Events:            <none>
% oc get pods
NAME        READY   STATUS    RESTARTS   AGE
hello-pod   1/1     Running   0          10m
% oc exec hello-pod  -i -- /usr/bin/curl --connect-timeout 30 172.30.200.28:27017
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0Hello OpenShift!
100    17  100    17    0     0      6      0  0:00:02  0:00:02 --:--:--     6
% oc get pods
NAME            READY   STATUS    RESTARTS   AGE
hello-pod       1/1     Running   0          11m
test-rc-bcj8r   1/1     Running   0          6s
test-rc-zmr2s   1/1     Running   0          6s
% oc get service
NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)     AGE
test-service   ClusterIP   172.30.200.28   <none>        27017/TCP   11m
% oc describe service
Name:              test-service
Namespace:         yckg4
Labels:            name=test-service
Annotations:       <none>
Selector:          name=test-pods
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                172.30.200.28
IPs:               172.30.200.28
Port:              http  27017/TCP
TargetPort:        8080/TCP
Endpoints:         10.128.2.80:8080,10.131.0.46:8080
Session Affinity:  None
Events:            <none>






% oc version
Client Version: 4.9.0-0.nightly-2021-08-18-144658
Server Version: 4.9.0-0.nightly-2021-09-01-193941
Kubernetes Version: v1.22.0-rc.0+bbcc9ae

Comment 11 errata-xmlrpc 2021-10-18 17:44:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759

Note You need to log in before you can comment on or make changes to this bug.