Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20161

HostedCluster with ControlPlaneEndpoint: 443 also exposes on 6443

    XMLWordPrintable

Details

    • No
    • Hypershift Sprint 244
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, hosted clusters with `.status.controlPlaneEndpoint.port: 443` would mistakenly expose the port 6443 for public and private routers. With this update, hosted clusters with `.status.controlPlaneEndpoint.port: 443` only expose the port 443. (link:https://issues.redhat.com/browse/OCPBUGS-20161[*OCPBUGS-20161*])
      Show
      * Previously, hosted clusters with `.status.controlPlaneEndpoint.port: 443` would mistakenly expose the port 6443 for public and private routers. With this update, hosted clusters with `.status.controlPlaneEndpoint.port: 443` only expose the port 443. (link: https://issues.redhat.com/browse/OCPBUGS-20161 [* OCPBUGS-20161 *])
    • Bug Fix
    • Done

    Description

      Description of problem:

      HostedClusters with a .status.controlPlaneEndpoint.port: 443 unexepectedly also expose the KAS on port 6443. This causes four security group rules to be consumed per LoadBalancer service (443/6443 for router and 443/6443 for private-router) instead of just two (443 for router and 443 for private-router). This directly impacts the number of HostedClusters on a Management Cluster since there is a hard cap of 200 security group rules per security group.

      Version-Release number of selected component (if applicable):

      4.14.0

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create a HostedCluster resulting in its .status.controlPlaneEndpoint.port: 443
2. Observe that the router/private-router LoadBalancer services expose both ports 6443 and 443

      Actual results:

      The router/private-router LoadBalancer services expose both ports 6443 and 443

      Expected results:

      The router/private-router LoadBalancer services exposes only port 443

      Additional info:

       

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-22898 HostedCluster with ControlPlaneEndpoint: 443 also exposes on 6443

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-22898 HostedCluster with ControlPlaneEndpoint: 443 also exposes on 6443

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. HOSTEDCP-1268 Staging: HC stuck at installing

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          links to

          GitHub openshift/hypershift#3149: OCPBUGS-20161: Stop exposing kas on 6443 private route service load balancer

          Web Link RHEA-2023:7198 rpm

          mentioned in

          Page Loading...

          mentioned on

          GitLab Merge request - Bump IBM integration to our latest prod image.

          GitLab Merge request - Specify API Server override port as 443

          GitLab Merge request - Specify API Server override port as 443

          Activity

            People

              agarcial@redhat.com Alberto Garcia Lamela
              mukrishn@redhat.com Murali Krishnasamy
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: