Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-37078

[backport 4.16] Sometimes dns name configured in EgressFirewall was not resolved

XMLWordPrintable

    • Important
    • No
    • 2
    • CFE Sprint 256, CFE Sprint 257
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the DNS-based egress firewall incorrectly caused memory increases for nodes running in a cluster because of multiple retry operations. With this release, the retry logic is fixed so that DNS pods no longer leak excess memory to nodes. (link:https://issues.redhat.com/browse/OCPBUGS-37078[*OCPBUGS-37078*])
      Show
      * Previously, the DNS-based egress firewall incorrectly caused memory increases for nodes running in a cluster because of multiple retry operations. With this release, the retry logic is fixed so that DNS pods no longer leak excess memory to nodes. (link: https://issues.redhat.com/browse/OCPBUGS-37078 [* OCPBUGS-37078 *])
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-33750. The following is the description of the original issue:

      Description of problem:

      Sometimes dns name configured in EgressFirewall was not resolved

      Version-Release number of selected component (if applicable):

      Using the build by
{code:java}
 build openshift/cluster-network-operator#2131

          How reproducible:{code:none}

      Steps to Reproduce:

        

    % for i in {1..7};do oc create ns test$i;oc create -f  data/egressfirewall/eg_policy_wildcard.yaml -n test$i; oc create -f data/list-for-pod.json -n test$i;sleep 1;done
    namespace/test1 created
    egressfirewall.k8s.ovn.org/default created
    replicationcontroller/test-rc created
    service/test-service created
    namespace/test2 created
    egressfirewall.k8s.ovn.org/default created
    replicationcontroller/test-rc created
    service/test-service created
    namespace/test3 created
    egressfirewall.k8s.ovn.org/default created
    replicationcontroller/test-rc created
    service/test-service created
    namespace/test4 created
    egressfirewall.k8s.ovn.org/default created
    replicationcontroller/test-rc created
    service/test-service created
    namespace/test5 created
    egressfirewall.k8s.ovn.org/default created
    replicationcontroller/test-rc created
    service/test-service created
    namespace/test6 created
    egressfirewall.k8s.ovn.org/default created
    replicationcontroller/test-rc created
    service/test-service created
    namespace/test7 created
    egressfirewall.k8s.ovn.org/default created
    replicationcontroller/test-rc created
    service/test-service created
     
    % cat data/egressfirewall/eg_policy_wildcard.yaml
    kind: EgressFirewall
    apiVersion: k8s.ovn.org/v1
    metadata:
      name: default
    spec:
      egress:
      - type: Allow
        to:
          dnsName: "*.google.com" 
      - type: Deny 
        to:
          cidrSelector: 0.0.0.0/0
     
     
    Then I created namespace test8, created egressfirewall and updated dns anme,it worked well. Then I deleted test8
     
    After that I created namespace test11 as below steps, the issue happened again.
     % oc create ns test11
    namespace/test11 created
    % oc create -f data/list-for-pod.json -n test11
    replicationcontroller/test-rc created
    service/test-service created
    % oc create -f data/egressfirewall/eg_policy_dnsname1.yaml -n test11
    egressfirewall.k8s.ovn.org/default created
    % oc get egressfirewall -n test11
    NAME      EGRESSFIREWALL STATUS
    default   EgressFirewall Rules applied
     % oc get egressfirewall -n test11 -o yaml
    apiVersion: v1
    items:
    - apiVersion: k8s.ovn.org/v1
      kind: EgressFirewall
      metadata:
        creationTimestamp: "2024-05-16T05:32:07Z"
        generation: 1
        name: default
        namespace: test11
        resourceVersion: "101288"
        uid: 18e60759-48bf-4337-ac06-2e3252f1223a
      spec:
        egress:
        - to:
            dnsName: registry-1.docker.io
          type: Allow
        - ports:
          - port: 80
            protocol: TCP
          to:
            dnsName: www.facebook.com
          type: Allow
        - to:
            cidrSelector: 0.0.0.0/0
          type: Deny
      status:
        messages:
        - 'hrw-0516i-d884f-worker-a-m7769: EgressFirewall Rules applied'
        - 'hrw-0516i-d884f-master-0.us-central1-b.c.openshift-qe.internal: EgressFirewall
          Rules applied'
        - 'hrw-0516i-d884f-worker-b-q4fsm: EgressFirewall Rules applied'
        - 'hrw-0516i-d884f-master-1.us-central1-c.c.openshift-qe.internal: EgressFirewall
          Rules applied'
        - 'hrw-0516i-d884f-master-2.us-central1-f.c.openshift-qe.internal: EgressFirewall
          Rules applied'
        - 'hrw-0516i-d884f-worker-c-4kvgr: EgressFirewall Rules applied'
        status: EgressFirewall Rules applied
    kind: List
    metadata:
      resourceVersion: ""
     % oc get pods -n test11                  
    NAME            READY   STATUS    RESTARTS   AGE
    test-rc-ffg4g   1/1     Running   0          61s
    test-rc-lw4r8   1/1     Running   0          61s
     % oc rsh -n test11 test-rc-ffg4g
    ~ $ curl registry-1.docker.io -I
     
    ^C
    ~ $ curl www.facebook.com
    ^C
    ~ $ 
    ~ $ curl www.facebook.com --connect-timeout 5
    curl: (28) Failed to connect to www.facebook.com port 80 after 2706 ms: Operation timed out
    ~ $ curl registry-1.docker.io --connect-timeout 5
    curl: (28) Failed to connect to registry-1.docker.io port 80 after 4430 ms: Operation timed out
    ~ $ ^C
    ~ $ exit
    command terminated with exit code 130
    % oc get dnsnameresolver     -n openshift-ovn-kubernetes         
    NAME             AGE
    dns-67b687cfb5   7m47s
    dns-696b6747d9   2m12s
    dns-b6c74f6f4    2m12s
     
     % oc get dnsnameresolver  dns-696b6747d9  -n openshift-ovn-kubernetes  -o yaml
    apiVersion: network.openshift.io/v1alpha1
    kind: DNSNameResolver
    metadata:
      creationTimestamp: "2024-05-16T05:32:07Z"
      generation: 1
      name: dns-696b6747d9
      namespace: openshift-ovn-kubernetes
      resourceVersion: "101283"
      uid: a8546ad8-b16d-4d81-a943-46bdd0d82aa5
    spec:
      name: www.facebook.com.
 % oc get dnsnameresolver  dns-696b6747d9  -n openshift-ovn-kubernetes  -o yaml
    apiVersion: network.openshift.io/v1alpha1
    kind: DNSNameResolver
    metadata:
      creationTimestamp: "2024-05-16T05:32:07Z"
      generation: 1
      name: dns-696b6747d9
      namespace: openshift-ovn-kubernetes
      resourceVersion: "101283"
      uid: a8546ad8-b16d-4d81-a943-46bdd0d82aa5
    spec:
      name: www.facebook.com.
     
     % oc get dnsnameresolver  dns-696b6747d9  -n openshift-ovn-kubernetes  -o yaml
    apiVersion: network.openshift.io/v1alpha1
    kind: DNSNameResolver
    metadata:
      creationTimestamp: "2024-05-16T05:32:07Z"
      generation: 1
      name: dns-696b6747d9
      namespace: openshift-ovn-kubernetes
      resourceVersion: "101283"
      uid: a8546ad8-b16d-4d81-a943-46bdd0d82aa5
    spec:
      name: www.facebook.com.

      Actual results:

      The dns name like www.facebook.com configured in egressfirewall didn't get resolved to IP

      Expected results:

      EgressFirewall works as expected.

      Additional info:

              rh-ee-arsen Arkadeep Sen
              openshift-crt-jira-prow OpenShift Prow Bot
              Melvin Joseph Melvin Joseph
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: