-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.16, 4.17
-
+
-
Important
-
No
-
2
-
CFE Sprint 254, CFE Sprint 255, CFE Sprint 256, CFE Sprint 257
-
4
-
Rejected
-
False
-
-
-
Bug Fix
-
Done
Description of problem:
Sometimes dns name configured in EgressFirewall was not resolved
Version-Release number of selected component (if applicable):
Using the build by {code:java} build openshift/cluster-network-operator#2131
How reproducible:{code:none}
Steps to Reproduce:
% for i in {1..7};do oc create ns test$i;oc create -f data/egressfirewall/eg_policy_wildcard.yaml -n test$i; oc create -f data/list-for-pod.json -n test$i;sleep 1;done namespace/test1 created egressfirewall.k8s.ovn.org/default created replicationcontroller/test-rc created service/test-service created namespace/test2 created egressfirewall.k8s.ovn.org/default created replicationcontroller/test-rc created service/test-service created namespace/test3 created egressfirewall.k8s.ovn.org/default created replicationcontroller/test-rc created service/test-service created namespace/test4 created egressfirewall.k8s.ovn.org/default created replicationcontroller/test-rc created service/test-service created namespace/test5 created egressfirewall.k8s.ovn.org/default created replicationcontroller/test-rc created service/test-service created namespace/test6 created egressfirewall.k8s.ovn.org/default created replicationcontroller/test-rc created service/test-service created namespace/test7 created egressfirewall.k8s.ovn.org/default created replicationcontroller/test-rc created service/test-service created % cat data/egressfirewall/eg_policy_wildcard.yaml kind: EgressFirewall apiVersion: k8s.ovn.org/v1 metadata: name: default spec: egress: - type: Allow to: dnsName: "*.google.com" - type: Deny to: cidrSelector: 0.0.0.0/0 Then I created namespace test8, created egressfirewall and updated dns anme,it worked well. Then I deleted test8 After that I created namespace test11 as below steps, the issue happened again. % oc create ns test11 namespace/test11 created % oc create -f data/list-for-pod.json -n test11 replicationcontroller/test-rc created service/test-service created % oc create -f data/egressfirewall/eg_policy_dnsname1.yaml -n test11 egressfirewall.k8s.ovn.org/default created % oc get egressfirewall -n test11 NAME EGRESSFIREWALL STATUS default EgressFirewall Rules applied % oc get egressfirewall -n test11 -o yaml apiVersion: v1 items: - apiVersion: k8s.ovn.org/v1 kind: EgressFirewall metadata: creationTimestamp: "2024-05-16T05:32:07Z" generation: 1 name: default namespace: test11 resourceVersion: "101288" uid: 18e60759-48bf-4337-ac06-2e3252f1223a spec: egress: - to: dnsName: registry-1.docker.io type: Allow - ports: - port: 80 protocol: TCP to: dnsName: www.facebook.com type: Allow - to: cidrSelector: 0.0.0.0/0 type: Deny status: messages: - 'hrw-0516i-d884f-worker-a-m7769: EgressFirewall Rules applied' - 'hrw-0516i-d884f-master-0.us-central1-b.c.openshift-qe.internal: EgressFirewall Rules applied' - 'hrw-0516i-d884f-worker-b-q4fsm: EgressFirewall Rules applied' - 'hrw-0516i-d884f-master-1.us-central1-c.c.openshift-qe.internal: EgressFirewall Rules applied' - 'hrw-0516i-d884f-master-2.us-central1-f.c.openshift-qe.internal: EgressFirewall Rules applied' - 'hrw-0516i-d884f-worker-c-4kvgr: EgressFirewall Rules applied' status: EgressFirewall Rules applied kind: List metadata: resourceVersion: "" % oc get pods -n test11 NAME READY STATUS RESTARTS AGE test-rc-ffg4g 1/1 Running 0 61s test-rc-lw4r8 1/1 Running 0 61s % oc rsh -n test11 test-rc-ffg4g ~ $ curl registry-1.docker.io -I ^C ~ $ curl www.facebook.com ^C ~ $ ~ $ curl www.facebook.com --connect-timeout 5 curl: (28) Failed to connect to www.facebook.com port 80 after 2706 ms: Operation timed out ~ $ curl registry-1.docker.io --connect-timeout 5 curl: (28) Failed to connect to registry-1.docker.io port 80 after 4430 ms: Operation timed out ~ $ ^C ~ $ exit command terminated with exit code 130 % oc get dnsnameresolver -n openshift-ovn-kubernetes NAME AGE dns-67b687cfb5 7m47s dns-696b6747d9 2m12s dns-b6c74f6f4 2m12s % oc get dnsnameresolver dns-696b6747d9 -n openshift-ovn-kubernetes -o yaml apiVersion: network.openshift.io/v1alpha1 kind: DNSNameResolver metadata: creationTimestamp: "2024-05-16T05:32:07Z" generation: 1 name: dns-696b6747d9 namespace: openshift-ovn-kubernetes resourceVersion: "101283" uid: a8546ad8-b16d-4d81-a943-46bdd0d82aa5 spec: name: www.facebook.com. % oc get dnsnameresolver dns-696b6747d9 -n openshift-ovn-kubernetes -o yaml apiVersion: network.openshift.io/v1alpha1 kind: DNSNameResolver metadata: creationTimestamp: "2024-05-16T05:32:07Z" generation: 1 name: dns-696b6747d9 namespace: openshift-ovn-kubernetes resourceVersion: "101283" uid: a8546ad8-b16d-4d81-a943-46bdd0d82aa5 spec: name: www.facebook.com. % oc get dnsnameresolver dns-696b6747d9 -n openshift-ovn-kubernetes -o yaml apiVersion: network.openshift.io/v1alpha1 kind: DNSNameResolver metadata: creationTimestamp: "2024-05-16T05:32:07Z" generation: 1 name: dns-696b6747d9 namespace: openshift-ovn-kubernetes resourceVersion: "101283" uid: a8546ad8-b16d-4d81-a943-46bdd0d82aa5 spec: name: www.facebook.com.
Actual results:
The dns name like www.facebook.com configured in egressfirewall didn't get resolved to IP
Expected results:
EgressFirewall works as expected.
Additional info:
- blocks
-
OCPBUGS-37078 [backport 4.16] Sometimes dns name configured in EgressFirewall was not resolved
- Closed
- is blocked by
-
OCPBUGS-34918 Bump go version from 1.21 to 1.22 of build_root image for the coredns-ocp-dnsnamresolver repo
- Closed
- is cloned by
-
OCPBUGS-37078 [backport 4.16] Sometimes dns name configured in EgressFirewall was not resolved
- Closed
- is duplicated by
-
OCPBUGS-36381 [TP]Memory leak in openshift-dns namespace during egressfirewall testing
- Closed
- is related to
-
OCPBUGS-36381 [TP]Memory leak in openshift-dns namespace during egressfirewall testing
- Closed
- links to
-
RHEA-2024:3718 OpenShift Container Platform 4.17.z bug fix update