Bug 2066605 - coredns template block matches cluster API to loose
Summary: coredns template block matches cluster API to loose
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Machine Config Operator
Version: 4.11
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.11.0
Assignee: Bram Verschueren
QA Contact: Rio Liu
URL:
Whiteboard:
Depends On:
Blocks: 2076493
TreeView+ depends on / blocked
 
Reported: 2022-03-22 07:25 UTC by Bram Verschueren
Modified: 2022-08-10 10:55 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-10 10:55:17 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-config-operator pull 3033 0 None open Bug 2066605: [on-prem] make Corefile api matching stricter 2022-03-25 18:52:50 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:55:55 UTC

Description Bram Verschueren 2022-03-22 07:25:37 UTC
Description of problem:
In on-prem installations the regex used to match the cluster API in a node's Corefile is too wide.
Any FQDN matching ".*api.<basedomain>" is resolved by coredns' template plugin [1].

[1] https://coredns.io/plugins/template/

Version-Release number of MCO (Machine Config Operator) (if applicable):

$ oc get co machine-config 
NAME             VERSION                              AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
machine-config   4.11.0-0.nightly-2022-03-18-065017   True        False         False      34m    

Platform (AWS, VSphere, Metal, etc.):

Are you certain that the root cause of the issue being reported is the MCO (Machine Config Operator)?
(Y/N/Not sure): Y

How reproducible:
100%

Did you catch this issue by running a Jenkins job? If yes, please list:
1. Jenkins job: N/A

2. Profile: N/A

Steps to Reproduce:
1. get cluster's API address
$ oc whoami --show-server
https://api.mycluster.tld:6443

2. resolve any host matching '.*api.<basedomain>':

(using non-existing 'myapi.mycluster.tld')

$ oc run -ti --image=registry.redhat.io/openshift4/network-tools-rhel8 test -- /bin/bash
If you don't see a command prompt, try pressing enter.
[root@test /]# nslookup myapi.mycluster.tld
Server:         172.30.0.10
Address:        172.30.0.10#53

Name:   myapi.mycluster.tld
Address: 192.168.0.5

[root@test /]# nslookup api.mycluster.tld
Server:         172.30.0.10
Address:        172.30.0.10#53

Name:   api.mycluster.tld
Address: 192.168.0.5

[root@test /]# nslookup my.sub.api.mycluster.tld
Server:         172.30.0.10
Address:        172.30.0.10#53

Name:   my.sub.api.mycluster.tld
Address: 192.168.0.5

Actual results:
Any '.*api.<basedomain>' FQDN is resolved by coredns' template plugin.

Expected results:
Only exact '^api.<basedomain>' FQDN's should be resolved from a template block.

Additional info:

The regex used in the Corefile template block's match field is too wide:

$ oc debug node/mycluster-wxt6k-worker-0-g5965 -- grep api -B1 -A2 /host/etc/coredns/Corefile 
Starting pod/mycluster-wxt6k-worker-0-g5965-debug ...
To use host binaries, run `chroot /host`
    template IN A mycluster.tld {
        match api.mycluster.tld
        answer "{{ .Name }} 60 in {{ .Type }} 192.168.0.5"
        fallthrough
--
    template IN AAAA mycluster.tld {
        match api.mycluster.tld
        fallthrough
    }
    template IN A mycluster.tld {
        match api-int.mycluster.tld
        answer "{{ .Name }} 60 in {{ .Type }} 192.168.0.5"
        fallthrough
--
    template IN AAAA mycluster.tld {
        match api-int.mycluster.tld
        fallthrough
    }

Comment 8 errata-xmlrpc 2022-08-10 10:55:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069


Note You need to log in before you can comment on or make changes to this bug.