To land k8s bump (https://github.com/openshift/kubernetes/pull/862) I've disabled: - `[sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it` in openshift/origin Additional info: It looks like endpoints write access was removed in https://github.com/kubernetes/kubernetes/pull/103704 to partially prevent https://github.com/kubernetes/kubernetes/issues/103675 we need to figure out how we want to handle this one.
(In reply to Maciej Szulik from comment #0) > It looks like endpoints write access was removed in > https://github.com/kubernetes/kubernetes/pull/103704 to partially prevent > https://github.com/kubernetes/kubernetes/issues/103675 we need to figure out > how we want to handle this one. OCP should not be vulnerable to that CVE anyway because of the RestrictedEndpointsController cluster-kube-apiserver-operator observes the cluster configuration to mark all pod and service CIDRs as restricted: https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/pkg/operator/configobservation/network/observe_network.go#L53 and then kube-apiserver rejects Endpoints creation/modification by non-cluster-admin users if the Endpoints points to a restricted IP. Of course, we need to be doing that for EndpointSlice now too...
*** Bug 1995505 has been marked as a duplicate of this bug. ***
Sorry, I screwed up the bug tracking on this and there ended up being no bug for "re-enable Endpoints permissions". But that's re-enabled now (https://github.com/openshift/kubernetes/pull/908), so this bug should be able to move forward.
Verified this bug by checking https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.9-e2e-aws/1433153705493925888
Checked on version 4.9.0-0.nightly-2021-09-01-193941, created a service and idled it. After sent traffic to this service, it can be unidled. % oc get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE test-service ClusterIP 172.30.200.28 <none> 27017/TCP 9m49s % oc get pods NAME READY STATUS RESTARTS AGE hello-pod 1/1 Running 0 9m53s test-rc-9nvv9 1/1 Running 0 5m59s test-rc-cjdmz 1/1 Running 0 5m59s % oc idle test-service WARNING: idling when network policies are in place may cause connections to bypass network policy entirely The service "yckg4/test-service" has been marked as idled The service will unidle ReplicationController "yckg4/test-rc" to 2 replicas once it receives traffic ReplicationController "yckg4/test-rc" has been idled % oc get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE test-service ClusterIP 172.30.200.28 <none> 27017/TCP 10m % oc describe service Name: test-service Namespace: yckg4 Labels: name=test-service Annotations: idling.alpha.openshift.io/idled-at: 2021-09-02T11:08:28Z idling.alpha.openshift.io/unidle-targets: [{"kind":"ReplicationController","name":"test-rc","replicas":2}] Selector: name=test-pods Type: ClusterIP IP Family Policy: SingleStack IP Families: IPv4 IP: 172.30.200.28 IPs: 172.30.200.28 Port: http 27017/TCP TargetPort: 8080/TCP Endpoints: <none> Session Affinity: None Events: <none> % oc get pods NAME READY STATUS RESTARTS AGE hello-pod 1/1 Running 0 10m % oc exec hello-pod -i -- /usr/bin/curl --connect-timeout 30 172.30.200.28:27017 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0Hello OpenShift! 100 17 100 17 0 0 6 0 0:00:02 0:00:02 --:--:-- 6 % oc get pods NAME READY STATUS RESTARTS AGE hello-pod 1/1 Running 0 11m test-rc-bcj8r 1/1 Running 0 6s test-rc-zmr2s 1/1 Running 0 6s % oc get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE test-service ClusterIP 172.30.200.28 <none> 27017/TCP 11m % oc describe service Name: test-service Namespace: yckg4 Labels: name=test-service Annotations: <none> Selector: name=test-pods Type: ClusterIP IP Family Policy: SingleStack IP Families: IPv4 IP: 172.30.200.28 IPs: 172.30.200.28 Port: http 27017/TCP TargetPort: 8080/TCP Endpoints: 10.128.2.80:8080,10.131.0.46:8080 Session Affinity: None Events: <none> % oc version Client Version: 4.9.0-0.nightly-2021-08-18-144658 Server Version: 4.9.0-0.nightly-2021-09-01-193941 Kubernetes Version: v1.22.0-rc.0+bbcc9ae
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759