Description of problem: When re-enabling tests after k8 rebase to 1.22.0 (https://bugzilla.redhat.com/show_bug.cgi?id=1986307): [sig-network] Services should respect internalTrafficPolicy=Local Pod to Pod (hostNetwork: true) [Feature:ServiceInternalTrafficPolicy] [Suite:openshift/conformance/parallel] [Suite:k8s] [sig-network] Services should respect internalTrafficPolicy=Local Pod (hostNetwork: true) to Pod (hostNetwork: true) [Feature:ServiceInternalTrafficPolicy] [Suite:openshift/conformance/parallel] [Suite:k8s] I encountered two problems. 1) Pod has insufficient privileges to bind to hostport 80. ~ $ /agnhost netexec --http-port 80 ~ $ /agnhost netexec --http-port 80 2021/08/13 15:19:55 Started HTTP server on port 80 2021/08/13 15:19:55 Started UDP server on port 8081 2021/08/13 15:19:55 listen tcp :80: bind: permission denied 2) Comparison of FQDN and hostname fails See test/e2e/network/service.go +2259 & +2341 - Calling execHostnameTest with node0.Name (FQDN) and then comparing with agnhost /hostname (hostname) ( https://pkg.go.dev/k8s.io/kubernetes@v1.18.0-alpha.0/test/images/agnhost?readme=expanded#readme-serve-hostname) will fail on OCP. Version-Release number of selected component (if applicable): K8 1.22.0 How reproducible: Build openshift-tests with k8 1.22 test cases (see PR on origin rebase-1.22.0-rc.0]). Test against nightly of ocp 4.9. I have produced two fixes that enable the test cases to pass for upstream k8: Issue 1: https://github.com/martinkennelly/kubernetes/tree/fix_local_test_bind_denied Issue 2: https://github.com/martinkennelly/kubernetes/tree/fix_fqdn_hostname_mismatch
For issue 1 - Either we increase pod privileges or up the port number above 1024. I went for the latter. I will disable the two test cases until upstream is resolved.
fixes look good, though I'd add a comment to the code in the second one rather than only explaining in the commit message Can you push those PRs upstream and the link to the PRs from here so I'll see them? Then once it merges upstream you'll need to cherry-pick them into https://github.com/openshift/kubernetes, as explained in the README.openshift.md there
(Though cherry-picking them is only relevant if we're actually planning to enable the alpha feature gate in 4.9, which I guess we probably aren't, so probably you don't actually have to do that.)
Comment added to code. PRs: 1) Pod has insufficient privileges to bind to hostport 80. https://github.com/kubernetes/kubernetes/pull/104409 2) Comparison of FQDN and hostname fails https://github.com/kubernetes/kubernetes/pull/104408 Yes, but I may as well do this when it's merged so we have it done for the future.
(In reply to Martin Kennelly from comment #4) > Yes, but I may as well do this when it's merged so we have it done for the > future. If we don't need the fix until OCP 4.10 then it doesn't have to be cherry-picked, because it will get pulled in as part of the rebase to kube 1.23.
Dan, isn't OCP 4.9 based on k8 1.22 and therefore this feature is in beta? https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ Therefore we need to cherry-pick back the fixes.
Missing from this BZ was test case: "[sig-network] Services should respect internalTrafficPolicy=Local Pod (hostNetwork: true) to Pod [Feature:ServiceInternalTrafficPolicy]" This was also disabled due to upstream fix here: https://github.com/kubernetes/kubernetes/pull/104409/
ah, kube_features.go claims it's still alpha in the comment: // owner: @maplain @andrewsykim // kep: http://kep.k8s.io/2086 // alpha: v1.21 // // Enables node-local routing for Service internal traffic ServiceInternalTrafficPolicy featuregate.Feature = "ServiceInternalTrafficPolicy" but sets it to beta in defaultKubernetesFeatureGates: ServiceInternalTrafficPolicy: {Default: true, PreRelease: featuregate.Beta}, so it looks like they forgot to update the comment. So yes, it would be good to cherry-pick the fixes. (And maybe also fix the comment upstream to indicate its status correctly.)