Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18978

router pod has mgmt KAS access even though it doesn't have NeedManagementKASAccessLabel

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Major
    • 4.14.0
    • 4.15
    • HyperShift
    • None
    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None

    Description

      This is a clone of issue OCPBUGS-18907. The following is the description of the original issue:

      Description of problem:

      From on to https://issues.redhat.com/browse/OCPBUGS-17827
      
      jiezhao-mac:hypershift jiezhao$ oc get hostedcluster -n clusters
      NAME       VERSION                              KUBECONFIG                  PROGRESS    AVAILABLE   PROGRESSING   MESSAGE
      jie-test   4.14.0-0.nightly-2023-09-12-024050   jie-test-admin-kubeconfig   Completed   True        False         The hosted control plane is available
      jiezhao-mac:hypershift jiezhao$ 
      jiezhao-mac:hypershift jiezhao$ oc get pods -n clusters-jie-test | grep router
      router-78d47f4c69-2mvbp                               1/1     Running            0          68m
      jiezhao-mac:hypershift jiezhao$ 
      jiezhao-mac:hypershift jiezhao$ oc get pods router-78d47f4c69-2mvbp -n clusters-jie-test -ojsonpath='{.metadata.labels}' | jq
      {
        "app": "private-router",
        "hypershift.openshift.io/hosted-control-plane": "clusters-jie-test",
        "hypershift.openshift.io/request-serving-component": "true",
        "pod-template-hash": "78d47f4c69"
      }
      jiezhao-mac:hypershift jiezhao$ oc get networkpolicy management-kas  -n clusters-jie-test
      NAME             POD-SELECTOR                                                                                   AGE
      management-kas   !hypershift.openshift.io/need-management-kas-access,name notin (aws-ebs-csi-driver-operator)   76m
      jiezhao-mac:hypershift jiezhao$ 
      jiezhao-mac:hypershift jiezhao$ oc get networkpolicy management-kas  -n clusters-jie-test -o yaml
      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        annotations:
          hypershift.openshift.io/cluster: clusters/jie-test
        creationTimestamp: "2023-09-12T14:43:13Z"
        generation: 1
        name: management-kas
        namespace: clusters-jie-test
        resourceVersion: "54049"
        uid: 72288fed-a1f6-4dc9-bb63-981d7cdd479f
      spec:
        egress:
        - to:
          - podSelector: {}
        - to:
          - ipBlock:
              cidr: 0.0.0.0/0
              except:
              - 10.0.46.47/32
              - 10.0.7.159/32
              - 10.0.77.20/32
              - 10.128.0.0/14
        - ports:
          - port: 5353
            protocol: UDP
          - port: 5353
            protocol: TCP
          to:
          - namespaceSelector:
              matchLabels:
                kubernetes.io/metadata.name: openshift-dns
        podSelector:
          matchExpressions:
          - key: hypershift.openshift.io/need-management-kas-access
            operator: DoesNotExist
          - key: name
            operator: NotIn
            values:
            - aws-ebs-csi-driver-operator
        policyTypes:
        - Egress
      status: {}
      jiezhao-mac:hypershift jiezhao$ 
      jiezhao-mac:hypershift jiezhao$ oc get endpoints -n default kubernetes
      NAME         ENDPOINTS                                         AGE
      kubernetes   10.0.46.47:6443,10.0.7.159:6443,10.0.77.20:6443   150m
      jiezhao-mac:hypershift jiezhao$ 
      jiezhao-mac:hypershift jiezhao$ oc get endpoints -n default kubernetes -o yaml
      apiVersion: v1
      kind: Endpoints
      metadata:
        creationTimestamp: "2023-09-12T13:32:47Z"
        labels:
          endpointslice.kubernetes.io/skip-mirror: "true"
        name: kubernetes
        namespace: default
        resourceVersion: "31961"
        uid: bc170a67-018f-4490-a18c-811ebd3f3676
      subsets:
      - addresses:
        - ip: 10.0.46.47
        - ip: 10.0.7.159
        - ip: 10.0.77.20
        ports:
        - name: https
          port: 6443
          protocol: TCP
      jiezhao-mac:hypershift jiezhao$ 
      jiezhao-mac:hypershift jiezhao$ oc get endpoints -n default kubernetes -ojsonpath='{.subsets[].addresses[].ip}{"\n"}'
      10.0.46.47
      jiezhao-mac:hypershift jiezhao$ 
      jiezhao-mac:hypershift jiezhao$ oc get endpoints -n default kubernetes -ojsonpath='{.subsets[].ports[].port}{"\n"}'
      6443
      jiezhao-mac:hypershift jiezhao$ 
      jiezhao-mac:hypershift jiezhao$ oc project clusters-jie-test
      Now using project "clusters-jie-test" on server "https://api.jiezhao-091201.qe.devcluster.openshift.com:6443".
      jiezhao-mac:hypershift jiezhao$ 
      jiezhao-mac:hypershift jiezhao$ oc -n clusters-jie-test rsh pod/router-78d47f4c69-2mvbp curl --connect-timeout 2 -Iks https://10.0.46.47:6443 -v 
      * Rebuilt URL to: https://10.0.46.47:6443/
      *   Trying 10.0.46.47...
      * TCP_NODELAY set
      * Connected to 10.0.46.47 (10.0.46.47) port 6443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
        CApath: none
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, Request CERT (13):
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, Certificate (11):
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, CERT verify (15):
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, Finished (20):
      * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
      * TLSv1.3 (OUT), TLS handshake, [no content] (0):
      * TLSv1.3 (OUT), TLS handshake, Certificate (11):
      * TLSv1.3 (OUT), TLS handshake, [no content] (0):
      * TLSv1.3 (OUT), TLS handshake, Finished (20):
      * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
      * ALPN, server accepted to use h2
      * Server certificate:
      *  subject: CN=172.30.0.1
      *  start date: Sep 12 13:35:51 2023 GMT
      *  expire date: Oct 12 13:35:52 2023 GMT
      *  issuer: OU=openshift; CN=kube-apiserver-service-network-signer
      *  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * TLSv1.3 (OUT), TLS app data, [no content] (0):
      * TLSv1.3 (OUT), TLS app data, [no content] (0):
      * TLSv1.3 (OUT), TLS app data, [no content] (0):
      * Using Stream ID: 1 (easy handle 0x55c5c46cb990)
      * TLSv1.3 (OUT), TLS app data, [no content] (0):
      > HEAD / HTTP/2
      > Host: 10.0.46.47:6443
      > User-Agent: curl/7.61.1
      > Accept: */*
      > 
      * TLSv1.3 (IN), TLS handshake, [no content] (0):
      * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
      * TLSv1.3 (IN), TLS app data, [no content] (0):
      * Connection state changed (MAX_CONCURRENT_STREAMS == 2000)!
      * TLSv1.3 (OUT), TLS app data, [no content] (0):
      * TLSv1.3 (IN), TLS app data, [no content] (0):
      * TLSv1.3 (IN), TLS app data, [no content] (0):
      * TLSv1.3 (IN), TLS app data, [no content] (0):
      < HTTP/2 403 
      HTTP/2 403 
      < audit-id: 82d5f3f7-6e5b-4bb5-b846-54df09aefb54
      audit-id: 82d5f3f7-6e5b-4bb5-b846-54df09aefb54
      < cache-control: no-cache, private
      cache-control: no-cache, private
      < content-type: application/json
      content-type: application/json
      < strict-transport-security: max-age=31536000; includeSubDomains; preload
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      < x-content-type-options: nosniff
      x-content-type-options: nosniff
      < x-kubernetes-pf-flowschema-uid: 6edd6532-2d15-4d8d-9cea-4dcce99b881f
      x-kubernetes-pf-flowschema-uid: 6edd6532-2d15-4d8d-9cea-4dcce99b881f
      < x-kubernetes-pf-prioritylevel-uid: 4115bb59-a78d-42ab-9136-37529cf107e1
      x-kubernetes-pf-prioritylevel-uid: 4115bb59-a78d-42ab-9136-37529cf107e1
      < content-length: 218
      content-length: 218
      < date: Tue, 12 Sep 2023 16:05:02 GMT
      date: Tue, 12 Sep 2023 16:05:02 GMT
      < 
      * Connection #0 to host 10.0.46.47 left intact
      jiezhao-mac:hypershift jiezhao$ 

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

       

      Expected results:

       

      Additional info:

       

      Attachments

        Issue Links

          Activity

            People

              sjenning Seth Jennings
              openshift-crt-jira-prow OpenShift Prow Bot
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: