Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19805

CoreDNS panics if an EndpointSlice object contains a port without a port number

XMLWordPrintable

    • Critical
    • No
    • 1
    • Sprint 242, Sprint 243
    • 2
    • Approved
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, CoreDNS terminated unexpectedly if a user created an `EndpointSlice` port without a port number. With this update, validation was added to CoreDNS to prevent it from unexpectedly terminating. (link:https://issues.redhat.com/browse/OCPBUGS-19805[*OCPBUGS-19805*])

      Previously, CoreDNS would crash if a user created an EndpointSlice port without a port number. This allowed a user with the necessary permissions to disrupt DNS functionality within a cluster. With this update, validation was added to CoreDNS so that it will no longer crash in this situation.
      Show
      * Previously, CoreDNS terminated unexpectedly if a user created an `EndpointSlice` port without a port number. With this update, validation was added to CoreDNS to prevent it from unexpectedly terminating. (link: https://issues.redhat.com/browse/OCPBUGS-19805 [* OCPBUGS-19805 *]) Previously, CoreDNS would crash if a user created an EndpointSlice port without a port number. This allowed a user with the necessary permissions to disrupt DNS functionality within a cluster. With this update, validation was added to CoreDNS so that it will no longer crash in this situation.
    • Bug Fix
    • Done

      Description of problem:

      While reviewing PRs in CoreDNS 1.11.0, we stumbled upon https://github.com/coredns/coredns/pull/6179, which describes an CoreDNS crash in the kubernetes plugin if you create an EndpointSlice object contains a port without a port number.

I reproduced this myself and was able to successfully bring down all of CoreDNS so that the cluster was put into a degraded state.

We've bumped to CoreDNS 1.11.1 in 4.15, so this is concern for < 4.15.

      Version-Release number of selected component (if applicable):

      Less than or equal to 4.14

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create an endpointslice with a port with no port number:

apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
  name: example-abc
addressType: IPv4
ports:
  - name: ""

2.Shortly after creating this object, all DNS pods continuously crash:
oc get -n openshift-dns pods
NAME                  READY   STATUS             RESTARTS     AGE
dns-default-57lmh     1/2     CrashLoopBackOff   1 (3s ago)   79m
dns-default-h6cvm     1/2     CrashLoopBackOff   1 (4s ago)   79m
dns-default-mn7qd     1/2     CrashLoopBackOff   1 (3s ago)   79m
dns-default-mxq5g     1/2     CrashLoopBackOff   1 (3s ago)   79m
dns-default-wdrff     1/2     CrashLoopBackOff   1 (3s ago)   79m
dns-default-zs7cd     1/2     CrashLoopBackOff   1 (3s ago)   79m

      Actual results:

      DNS Pods crash

      Expected results:

      DNS Pods should NOT crash

      Additional info:

       

              gspence@redhat.com Grant Spence
              gspence@redhat.com Grant Spence
              Melvin Joseph Melvin Joseph
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: