Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16298

kube-apiserver without need-management-kas-access label could still access mgmt KAS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.14.0
    • 4.14
    • HyperShift
    • No
    • Hypershift Sprint 240
    • 1
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      For HOSTEDCP-1062 , components without a label `hypershift.openshift.io/need-management-kas-access: "true"` can not access the management cluster KAS resources. 
      But for `kube-apiserver` in HCP, there isn't the targe label `hypershift.openshift.io/need-management-kas-access: "true"` but it can access the mgmt KAS
      
      
      jiezhao-mac:hypershift jiezhao$ oc get pods -n clusters-jie-test | grep kube-apiserver
      kube-apiserver-6799b6cfd8-wk8pv                      3/3     Running   0          178m
      jiezhao-mac:hypershift jiezhao$ 
      jiezhao-mac:hypershift jiezhao$ oc get pods kube-apiserver-6799b6cfd8-wk8pv -n clusters-jie-test -o yaml | grep hypershift.openshift.io/need-management-kas-access
      jiezhao-mac:hypershift jiezhao$ 
      
      jiezhao-mac:hypershift jiezhao$ oc -n clusters-jie-test rsh pod/kube-apiserver-6799b6cfd8-wk8pv curl --connect-timeout 2 -Iks https://10.0.142.255:6443 -v
      Defaulted container "apply-bootstrap" out of: apply-bootstrap, kube-apiserver, audit-logs, init-bootstrap (init), wait-for-etcd (init)
      * Rebuilt URL to: https://10.0.142.255:6443/
      ..
      < HTTP/2 403 
      HTTP/2 403 
      ...
      < 
      * Connection #0 to host 10.0.142.255 left intact

      How reproducible:

      refer test case: https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-65141

      Steps to Reproduce:

      https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-65141 

      Additional info:

      router pod has the label and can access mgmt KAS. My expectation is that router pod shouldn't have the label and shouldn't access mgmt KAS.
      
      $ oc get pods router-667cb7f844-lx8mv -n clusters-jie-test -o yaml | grep hypershift.openshift.io/need-management-kas-access
      hypershift.openshift.io/need-management-kas-access: "true"
      jiezhao-mac:hypershift jiezhao$ oc -n clusters-jie-test rsh pod/router-667cb7f844-lx8mv curl --connect-timeout 2 -Iks 
      https://10.0.142.255:6443
      -v
      Rebuilt URL to: 
      https://10.0.142.255:6443/
      Trying 10.0.142.255...
      ...
      < HTTP/2 403
      HTTP/2 403

      > Actually, router doesn't need it anymore after https://github.com/openshift/hypershift/pull/2778 

            rh-ee-mraee Mulham Raee
            rhn-support-heli He Liu
            Jie Zhao Jie Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: