Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-33750

Sometimes dns name configured in EgressFirewall was not resolved

XMLWordPrintable

    • +
    • Important
    • No
    • 2
    • CFE Sprint 254, CFE Sprint 255, CFE Sprint 256, CFE Sprint 257
    • 4
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the `DNSNameResolver` controller sent DNS requests to CoreDNS pods for DNS names that had IP addresses with expired time-to-live (TTL) values. This caused a continuous generation of DNS requests and memory leak issues for those pods. With this release, the `DNSNameResolver` controller waits until it receives the updated list of IP addresses and TTL values for a DNS name before sending any more requests to the DNS name. As a result, the controller no longer generates erroneous requests and sends them to pods. CoreDNS pods can now respond to DNS requests in a timely manner and update the `DNSNameResolver` objects with the latest IP addresses and TTLs. (link:https://issues.redhat.com/browse/OCPBUGS-33750[*OCPBUGS-33750*])
      Show
      * Previously, the `DNSNameResolver` controller sent DNS requests to CoreDNS pods for DNS names that had IP addresses with expired time-to-live (TTL) values. This caused a continuous generation of DNS requests and memory leak issues for those pods. With this release, the `DNSNameResolver` controller waits until it receives the updated list of IP addresses and TTL values for a DNS name before sending any more requests to the DNS name. As a result, the controller no longer generates erroneous requests and sends them to pods. CoreDNS pods can now respond to DNS requests in a timely manner and update the `DNSNameResolver` objects with the latest IP addresses and TTLs. (link: https://issues.redhat.com/browse/OCPBUGS-33750 [* OCPBUGS-33750 *])
    • Bug Fix
    • Done

      Description of problem:

      Sometimes dns name configured in EgressFirewall was not resolved
          

      Version-Release number of selected component (if applicable):

      Using the build by
      {code:java}
       build openshift/cluster-network-operator#2131
      
          How reproducible:{code:none}
      
          

      Steps to Reproduce:

        
      
          % for i in {1..7};do oc create ns test$i;oc create -f  data/egressfirewall/eg_policy_wildcard.yaml -n test$i; oc create -f data/list-for-pod.json -n test$i;sleep 1;done
          namespace/test1 created
          egressfirewall.k8s.ovn.org/default created
          replicationcontroller/test-rc created
          service/test-service created
          namespace/test2 created
          egressfirewall.k8s.ovn.org/default created
          replicationcontroller/test-rc created
          service/test-service created
          namespace/test3 created
          egressfirewall.k8s.ovn.org/default created
          replicationcontroller/test-rc created
          service/test-service created
          namespace/test4 created
          egressfirewall.k8s.ovn.org/default created
          replicationcontroller/test-rc created
          service/test-service created
          namespace/test5 created
          egressfirewall.k8s.ovn.org/default created
          replicationcontroller/test-rc created
          service/test-service created
          namespace/test6 created
          egressfirewall.k8s.ovn.org/default created
          replicationcontroller/test-rc created
          service/test-service created
          namespace/test7 created
          egressfirewall.k8s.ovn.org/default created
          replicationcontroller/test-rc created
          service/test-service created
           
          % cat data/egressfirewall/eg_policy_wildcard.yaml
          kind: EgressFirewall
          apiVersion: k8s.ovn.org/v1
          metadata:
            name: default
          spec:
            egress:
            - type: Allow
              to:
                dnsName: "*.google.com" 
            - type: Deny 
              to:
                cidrSelector: 0.0.0.0/0
           
           
          Then I created namespace test8, created egressfirewall and updated dns anme,it worked well. Then I deleted test8
           
          After that I created namespace test11 as below steps, the issue happened again.
           % oc create ns test11
          namespace/test11 created
          % oc create -f data/list-for-pod.json -n test11
          replicationcontroller/test-rc created
          service/test-service created
          % oc create -f data/egressfirewall/eg_policy_dnsname1.yaml -n test11
          egressfirewall.k8s.ovn.org/default created
          % oc get egressfirewall -n test11
          NAME      EGRESSFIREWALL STATUS
          default   EgressFirewall Rules applied
           % oc get egressfirewall -n test11 -o yaml
          apiVersion: v1
          items:
          - apiVersion: k8s.ovn.org/v1
            kind: EgressFirewall
            metadata:
              creationTimestamp: "2024-05-16T05:32:07Z"
              generation: 1
              name: default
              namespace: test11
              resourceVersion: "101288"
              uid: 18e60759-48bf-4337-ac06-2e3252f1223a
            spec:
              egress:
              - to:
                  dnsName: registry-1.docker.io
                type: Allow
              - ports:
                - port: 80
                  protocol: TCP
                to:
                  dnsName: www.facebook.com
                type: Allow
              - to:
                  cidrSelector: 0.0.0.0/0
                type: Deny
            status:
              messages:
              - 'hrw-0516i-d884f-worker-a-m7769: EgressFirewall Rules applied'
              - 'hrw-0516i-d884f-master-0.us-central1-b.c.openshift-qe.internal: EgressFirewall
                Rules applied'
              - 'hrw-0516i-d884f-worker-b-q4fsm: EgressFirewall Rules applied'
              - 'hrw-0516i-d884f-master-1.us-central1-c.c.openshift-qe.internal: EgressFirewall
                Rules applied'
              - 'hrw-0516i-d884f-master-2.us-central1-f.c.openshift-qe.internal: EgressFirewall
                Rules applied'
              - 'hrw-0516i-d884f-worker-c-4kvgr: EgressFirewall Rules applied'
              status: EgressFirewall Rules applied
          kind: List
          metadata:
            resourceVersion: ""
           % oc get pods -n test11                  
          NAME            READY   STATUS    RESTARTS   AGE
          test-rc-ffg4g   1/1     Running   0          61s
          test-rc-lw4r8   1/1     Running   0          61s
           % oc rsh -n test11 test-rc-ffg4g
          ~ $ curl registry-1.docker.io -I
           
          ^C
          ~ $ curl www.facebook.com
          ^C
          ~ $ 
          ~ $ curl www.facebook.com --connect-timeout 5
          curl: (28) Failed to connect to www.facebook.com port 80 after 2706 ms: Operation timed out
          ~ $ curl registry-1.docker.io --connect-timeout 5
          curl: (28) Failed to connect to registry-1.docker.io port 80 after 4430 ms: Operation timed out
          ~ $ ^C
          ~ $ exit
          command terminated with exit code 130
          % oc get dnsnameresolver     -n openshift-ovn-kubernetes         
          NAME             AGE
          dns-67b687cfb5   7m47s
          dns-696b6747d9   2m12s
          dns-b6c74f6f4    2m12s
           
           % oc get dnsnameresolver  dns-696b6747d9  -n openshift-ovn-kubernetes  -o yaml
          apiVersion: network.openshift.io/v1alpha1
          kind: DNSNameResolver
          metadata:
            creationTimestamp: "2024-05-16T05:32:07Z"
            generation: 1
            name: dns-696b6747d9
            namespace: openshift-ovn-kubernetes
            resourceVersion: "101283"
            uid: a8546ad8-b16d-4d81-a943-46bdd0d82aa5
          spec:
            name: www.facebook.com.
       % oc get dnsnameresolver  dns-696b6747d9  -n openshift-ovn-kubernetes  -o yaml
          apiVersion: network.openshift.io/v1alpha1
          kind: DNSNameResolver
          metadata:
            creationTimestamp: "2024-05-16T05:32:07Z"
            generation: 1
            name: dns-696b6747d9
            namespace: openshift-ovn-kubernetes
            resourceVersion: "101283"
            uid: a8546ad8-b16d-4d81-a943-46bdd0d82aa5
          spec:
            name: www.facebook.com.
           
           % oc get dnsnameresolver  dns-696b6747d9  -n openshift-ovn-kubernetes  -o yaml
          apiVersion: network.openshift.io/v1alpha1
          kind: DNSNameResolver
          metadata:
            creationTimestamp: "2024-05-16T05:32:07Z"
            generation: 1
            name: dns-696b6747d9
            namespace: openshift-ovn-kubernetes
            resourceVersion: "101283"
            uid: a8546ad8-b16d-4d81-a943-46bdd0d82aa5
          spec:
            name: www.facebook.com.
      
      
          

      Actual results:

      The dns name like www.facebook.com configured in egressfirewall didn't get resolved to IP
          

      Expected results:

      EgressFirewall works as expected.
       
         

      Additional info:

      
          

            rh-ee-arsen Arkadeep Sen
            huirwang Huiran Wang
            Melvin Joseph Melvin Joseph
            Darragh Fitzmaurice Darragh Fitzmaurice
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: