-
Bug
-
Resolution: Done-Errata
-
Major
-
4.15
-
None
-
No
-
Proposed
-
False
-
This is a clone of issue OCPBUGS-18907. The following is the description of the original issue:
—
Description of problem:
From on to https://issues.redhat.com/browse/OCPBUGS-17827
jiezhao-mac:hypershift jiezhao$ oc get hostedcluster -n clusters
NAME VERSION KUBECONFIG PROGRESS AVAILABLE PROGRESSING MESSAGE
jie-test 4.14.0-0.nightly-2023-09-12-024050 jie-test-admin-kubeconfig Completed True False The hosted control plane is available
jiezhao-mac:hypershift jiezhao$
jiezhao-mac:hypershift jiezhao$ oc get pods -n clusters-jie-test | grep router
router-78d47f4c69-2mvbp 1/1 Running 0 68m
jiezhao-mac:hypershift jiezhao$
jiezhao-mac:hypershift jiezhao$ oc get pods router-78d47f4c69-2mvbp -n clusters-jie-test -ojsonpath='{.metadata.labels}' | jq
{
"app": "private-router",
"hypershift.openshift.io/hosted-control-plane": "clusters-jie-test",
"hypershift.openshift.io/request-serving-component": "true",
"pod-template-hash": "78d47f4c69"
}
jiezhao-mac:hypershift jiezhao$ oc get networkpolicy management-kas -n clusters-jie-test
NAME POD-SELECTOR AGE
management-kas !hypershift.openshift.io/need-management-kas-access,name notin (aws-ebs-csi-driver-operator) 76m
jiezhao-mac:hypershift jiezhao$
jiezhao-mac:hypershift jiezhao$ oc get networkpolicy management-kas -n clusters-jie-test -o yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
hypershift.openshift.io/cluster: clusters/jie-test
creationTimestamp: "2023-09-12T14:43:13Z"
generation: 1
name: management-kas
namespace: clusters-jie-test
resourceVersion: "54049"
uid: 72288fed-a1f6-4dc9-bb63-981d7cdd479f
spec:
egress:
- to:
- podSelector: {}
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.46.47/32
- 10.0.7.159/32
- 10.0.77.20/32
- 10.128.0.0/14
- ports:
- port: 5353
protocol: UDP
- port: 5353
protocol: TCP
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
podSelector:
matchExpressions:
- key: hypershift.openshift.io/need-management-kas-access
operator: DoesNotExist
- key: name
operator: NotIn
values:
- aws-ebs-csi-driver-operator
policyTypes:
- Egress
status: {}
jiezhao-mac:hypershift jiezhao$
jiezhao-mac:hypershift jiezhao$ oc get endpoints -n default kubernetes
NAME ENDPOINTS AGE
kubernetes 10.0.46.47:6443,10.0.7.159:6443,10.0.77.20:6443 150m
jiezhao-mac:hypershift jiezhao$
jiezhao-mac:hypershift jiezhao$ oc get endpoints -n default kubernetes -o yaml
apiVersion: v1
kind: Endpoints
metadata:
creationTimestamp: "2023-09-12T13:32:47Z"
labels:
endpointslice.kubernetes.io/skip-mirror: "true"
name: kubernetes
namespace: default
resourceVersion: "31961"
uid: bc170a67-018f-4490-a18c-811ebd3f3676
subsets:
- addresses:
- ip: 10.0.46.47
- ip: 10.0.7.159
- ip: 10.0.77.20
ports:
- name: https
port: 6443
protocol: TCP
jiezhao-mac:hypershift jiezhao$
jiezhao-mac:hypershift jiezhao$ oc get endpoints -n default kubernetes -ojsonpath='{.subsets[].addresses[].ip}{"\n"}'
10.0.46.47
jiezhao-mac:hypershift jiezhao$
jiezhao-mac:hypershift jiezhao$ oc get endpoints -n default kubernetes -ojsonpath='{.subsets[].ports[].port}{"\n"}'
6443
jiezhao-mac:hypershift jiezhao$
jiezhao-mac:hypershift jiezhao$ oc project clusters-jie-test
Now using project "clusters-jie-test" on server "https://api.jiezhao-091201.qe.devcluster.openshift.com:6443".
jiezhao-mac:hypershift jiezhao$
jiezhao-mac:hypershift jiezhao$ oc -n clusters-jie-test rsh pod/router-78d47f4c69-2mvbp curl --connect-timeout 2 -Iks https://10.0.46.47:6443 -v
* Rebuilt URL to: https://10.0.46.47:6443/
* Trying 10.0.46.47...
* TCP_NODELAY set
* Connected to 10.0.46.47 (10.0.46.47) port 6443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=172.30.0.1
* start date: Sep 12 13:35:51 2023 GMT
* expire date: Oct 12 13:35:52 2023 GMT
* issuer: OU=openshift; CN=kube-apiserver-service-network-signer
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x55c5c46cb990)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> HEAD / HTTP/2
> Host: 10.0.46.47:6443
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 2000)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 403
HTTP/2 403
< audit-id: 82d5f3f7-6e5b-4bb5-b846-54df09aefb54
audit-id: 82d5f3f7-6e5b-4bb5-b846-54df09aefb54
< cache-control: no-cache, private
cache-control: no-cache, private
< content-type: application/json
content-type: application/json
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-kubernetes-pf-flowschema-uid: 6edd6532-2d15-4d8d-9cea-4dcce99b881f
x-kubernetes-pf-flowschema-uid: 6edd6532-2d15-4d8d-9cea-4dcce99b881f
< x-kubernetes-pf-prioritylevel-uid: 4115bb59-a78d-42ab-9136-37529cf107e1
x-kubernetes-pf-prioritylevel-uid: 4115bb59-a78d-42ab-9136-37529cf107e1
< content-length: 218
content-length: 218
< date: Tue, 12 Sep 2023 16:05:02 GMT
date: Tue, 12 Sep 2023 16:05:02 GMT
<
* Connection #0 to host 10.0.46.47 left intact
jiezhao-mac:hypershift jiezhao$
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. 2. 3.
Actual results:
Expected results:
Additional info:
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- links to
-
RHSA-2023:5006
OpenShift Container Platform 4.14.z security update
