Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11796

Allow installer to use existing Azure NSG during OpenShift IPI install

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, installing an Azure cluster into an existing Azure Virtual Network (VNet) might have failed because the installation program created a default network security group, which allowed traffic from `0.0.0.0`. The failure occurred when the existing VNet had the following rule enabled in the tenant: `Rule: Network Security Groups shall not allow rule with 0.0.0.0/Any Source/Destination IP Addresses - Custom Deny`. With this fix, the installation program no longer creates the default network security group when installing a cluster into an existing VNet, and the installation succeeds. (link:https://issues.redhat.com/browse/OCPBUGS-11796[*OCPBUGS-11796*])
      Show
      Previously, installing an Azure cluster into an existing Azure Virtual Network (VNet) might have failed because the installation program created a default network security group, which allowed traffic from `0.0.0.0`. The failure occurred when the existing VNet had the following rule enabled in the tenant: `Rule: Network Security Groups shall not allow rule with 0.0.0.0/Any Source/Destination IP Addresses - Custom Deny`. With this fix, the installation program no longer creates the default network security group when installing a cluster into an existing VNet, and the installation succeeds. (link: https://issues.redhat.com/browse/OCPBUGS-11796 [* OCPBUGS-11796 *])
    • Bug Fix
    • Done

      Description of problem:

      In an install where users bring their networks they also bring their own NSGs. However, the installer still creates NSG. In Azure environments using the rule [1] below, users are prohibited from installing cluster, as the apiserver_in rule has the rule set as 0.0.0.0[2]. Having a rule in place where the users could define this before install would allow them to set this connectivity without having the inbound access 



[1] - Rule: Network Security Groups shall not allow rule with 0.0.0.0/Any Source/Destination IP Addresses - Custom Deny

[2] - https://github.com/openshift/installer/blob/master/data/data/azure/vnet/nsg.tf#L31

              rdossant Rafael Fonseca dos Santos
              rh-ee-ssnyder Shane Snyder
              Jinyun Ma Jinyun Ma
              Mike Pytlak Mike Pytlak (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: