Bug 2110982 - On GCP, need to check load balancer health check IPs required for restricted installation
Summary: On GCP, need to check load balancer health check IPs required for restricted...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.13.0
Assignee: Brent Barbachem
QA Contact: Jianli Wei
dfitzmau
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-26 09:25 UTC by Chinmay Deshpande
Modified: 2023-05-17 22:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, a private {product-name} cluster running on Google Cloud Platform (GCP) would receive additional firewall rules so that GCP could perform health checks for both internal and external load balancers. Private clusters only use internal load balancers, so allowing health checks for external load balancers is unnecessary. With this update, a private cluster that runs on GCP no longer receives these additional firewall rules that stemmed from health checks for external load balancers. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2110982[*BZ#2110982*])
Clone Of:
Environment:
Last Closed: 2023-05-17 22:46:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 6755 0 None open BUG 2110982: GCP skip public loadbalancer ip addresses 2023-01-10 12:58:54 UTC
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:47:05 UTC

Description Chinmay Deshpande 2022-07-26 09:25:12 UTC 
Version:

OCP 4.10

Platform:

GCP

Please specify:
IPI

What happened?

Looking at the installer [1] code, It opens up a FW to 4 IPs. 
Two of them are expected according to link [2] however it is not expected to have  the other 2 IPs below to be opened up as they are required for network load balancers and not internal TCP/UDP load balancers

209.85.152.0/22
209.85.204.0/22

Customer's cluster is an internal cluster therefore they are not expecting these IPs to be in the firewall.

[1] https://github.com/openshift/installer/blob/b8e2c497249948adffba128dac0713b521b3ce4a/data/data/gcp/cluster/network/firewall.tf#L27
[2] https://cloud.google.com/load-balancing/docs/health-checks#fw-rule


What did you expect to happen?

It is expected to have only these two IPs 35.191.0.0/16, 130.211.0.0/22 to be open in firewall when doing restricted installation.

How to reproduce it (as minimally and precisely as possible)? N/A

Anything else we need to know?
Comment 1 Patrick Dillon 2022-07-26 17:22:40 UTC 
The team has reviewed this BZ:  35.191.0.0/16, 130.211.0.0/22 are only needed for network load balancers, but including them in the firewall rules is harmless as they cannot route to the internal LB and those IPs are owned by Google. Custom firewall rules can be provided through UPI installs.
Comment 2 Patrick Dillon 2022-07-29 15:27:44 UTC 
There was a mistake in my previous comment: 209.85.152.0/22, 209.85.204.0/22 are the IPs needed for network load balancers.
Comment 3 Patrick Dillon 2022-11-01 13:51:59 UTC 
Reopening this. We should be able to restrict the firewall rules to the minimum requirement. Will investigate and report if there are any unforeseen issues.
Comment 8 Jianli Wei 2023-01-28 02:06:14 UTC 
Mark as verified accorinding to the last 3 comments, thanks!
Comment 11 errata-xmlrpc 2023-05-17 22:46:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:1326
Note You need to log in before you can comment on or make changes to this bug.