Bug 2043807 - No way to verify if IPs with leading zeros are still valid in the apiserver
Summary: No way to verify if IPs with leading zeros are still valid in the apiserver
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.10
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.9.z
Assignee: Antonio Ojea
QA Contact: Ke Wang
URL:
Whiteboard:
Depends On: 2042493
Blocks: 2043808
TreeView+ depends on / blocked
 
Reported: 2022-01-22 03:18 UTC by OpenShift BugZilla Robot
Modified: 2022-04-11 13:35 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-07 18:46:47 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kubernetes pull 1134 0 None open [release-4.9] Bug 2043807: UPSTREAM 107564: kube-apiserver integration test: allow IPs with leading zeros on the API 2022-02-02 20:23:50 UTC
Github openshift kubernetes pull 1166 0 None open Bug 2043807: add deprecated parser build flag 2022-02-02 21:48:32 UTC
Github openshift oauth-apiserver pull 72 0 None open Bug 2043807: add deprecated parser build flag 2022-02-02 21:42:09 UTC
Github openshift openshift-apiserver pull 277 0 None open Bug 2043807: add deprecated parser build flag 2022-02-02 21:44:07 UTC
Red Hat Product Errata RHSA-2022:0561 0 None None None 2022-02-23 20:03:23 UTC

Comment 5 Ke Wang 2022-02-11 16:09:20 UTC
Verification steps,

$ cat test-svc.yaml 
apiVersion: v1
kind: Service
metadata:
  name: test
  namespace: default
spec:
  clusterIP: 172.30.001.008
  ports:
  - name: "80"
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: test
  type: ClusterIP


$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.21    True        False         11h     Cluster version is 4.9.21

$ oc apply -f test-svc.yaml --loglevel=9
...
I0212 00:03:57.051554   52759 request.go:1181] Response Body: {"kind":"Service","apiVersion":"v1","metadata":{"name":"test","namespace":"default","uid":"8f22524b-f608-4cb6-a19e-30e9f24e4def","resourceVersion":"222390","creationTimestamp":"2022-02-11T16:03:56Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Service\",\"metadata\":{\"annotations\":{},\"name\":\"test\",\"namespace\":\"default\"},\"spec\":{\"clusterIP\":\"172.30.001.008\",\"ports\":[{\"name\":\"80\",\"port\":80,\"protocol\":\"TCP\",\"targetPort\":80}],\"selector\":{\"app\":\"test\"},\"type\":\"ClusterIP\"}}\n"},"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"v1","time":"2022-02-11T16:03:56Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{"f:clusterIP":{},"f:internalTrafficPolicy":{},"f:ports":{".":{},"k:{\"port\":80,\"protocol\":\"TCP\"}":{".":{},"f:name":{},"f:port":{},"f:protocol":{},"f:targetPort":{}}},"f:selector":{},"f:sessionAffinity":{},"f:type":{}}}}]},"spec":{"ports":[{"name":"80","protocol":"TCP","port":80,"targetPort":80}],"selector":{"app":"test"},"clusterIP":"172.30.001.008","clusterIPs":["172.30.001.008"],"type":"ClusterIP","sessionAffinity":"None","ipFamilies":["IPv4"],"ipFamilyPolicy":"SingleStack","internalTrafficPolicy":"Cluster"},"status":{"loadBalancer":{}}}
service/test created


$ oc get service test -n default
NAME   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
test   ClusterIP   172.30.001.008   <none>        80/TCP    37s

Based on above,  IPs with leading zeros still are valid in apiserver.

Comment 8 errata-xmlrpc 2022-02-23 20:02:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.22 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0561

Comment 9 Abu Kashem 2022-04-06 12:38:54 UTC
reopening it, since I see the unit test failing: 


: Run test unit - container test expand_more	13m49s
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/validation: TestIsValidIP expand_less	0s
{Failed  === RUN   TestIsValidIP
    validation_test.go:340: expected true for "1.1.1.01": [must be a valid IP address, (e.g. 10.9.8.7 or 2001:db8::ffff)]
--- FAIL: TestIsValidIP (0.00s)
}



https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_kubernetes/1233/pull-ci-openshift-kubernetes-release-4.9-unit/1511357899316662272
It's blocking https://github.com/openshift/kubernetes/pull/1233. 

I do see the proper GOFLAGS in 4.9, and yet the unit test fails.
https://github.com/openshift/kubernetes/blob/release-4.9/openshift-hack/images/hyperkube/Dockerfile.rhel#L4-L9

> RUN make GOFLAGS='-mod=vendor -p=4 -tags=unsupportedGolang116OnlyUseDeprecatedParseIPv4' \
>         WHAT='cmd/kube-apiserver cmd/kube-controller-manager cmd/kube-scheduler cmd/kubelet cmd/watch-termination' && \

Comment 11 Abu Kashem 2022-04-07 18:55:15 UTC
the unit test still fails, opened a new BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2073153


Note You need to log in before you can comment on or make changes to this bug.