Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-39317

HyperShift not creating network policy to allow traffic on ignition-server-proxy pods

XMLWordPrintable

    • None
    • Hypershift Sprint 260
    • 1
    • False
    • Hide

      None

      Show
      None

      The following network policies get created by default when an HCP is deployed with none platform.

       

      $ hypershift create cluster none --arch "amd64" --external-api-server-address "api.hcp.aygarg.example.com" --base-domain "aygarg.example.com" --base-domain-prefix "none" --cluster-cidr "10.132.0.0/14" --service-cidr "172.31.0.0/16" --network-type "OVNKubernetes" --control-plane-availability-policy "HighlyAvailable" --infra-id "hcp" --name "hcp" --namespace "clusters" --pull-secret "/Users/ayush/OCP-4.16.3/pull-secret.txt" --release-image "quay.io/openshift-release-dev/ocp-release:4.16.3-x86_64" --ssh-key "/Users/ayush/.ssh/id_rsa.pub"

$ oc describe netpol
Name:         kas
Namespace:    clusters-hcp
Created on:   2024-08-31 02:45:33 +0530 IST
Labels:       <none>
Annotations:  hypershift.openshift.io/cluster: clusters/hcp
Spec:
  PodSelector:     app=kube-apiserver
  Allowing ingress traffic:
    To Port: 6443/TCP
    From: <any> (traffic not restricted by source)
  Not affecting egress traffic
  Policy Types: Ingress


Name:         nodeport-ignition
Namespace:    clusters-hcp
Created on:   2024-08-31 02:45:33 +0530 IST
Labels:       <none>
Annotations:  hypershift.openshift.io/cluster: clusters/hcp
Spec:
  PodSelector:     app=ignition-server
  Allowing ingress traffic:
    To Port: 9090/TCP
    From: <any> (traffic not restricted by source)
  Not affecting egress traffic
  Policy Types: Ingress


Name:         nodeport-konnectivity
Namespace:    clusters-hcp
Created on:   2024-08-31 02:45:33 +0530 IST
Labels:       <none>
Annotations:  hypershift.openshift.io/cluster: clusters/hcp
Spec:
  PodSelector:     app=konnectivity-server
  Allowing ingress traffic:
    To Port: 8091/TCP
    From: <any> (traffic not restricted by source)
  Not affecting egress traffic
  Policy Types: Ingress


Name:         nodeport-oauth
Namespace:    clusters-hcp
Created on:   2024-08-31 02:45:33 +0530 IST
Labels:       <none>
Annotations:  hypershift.openshift.io/cluster: clusters/hcp
Spec:
  PodSelector:     app=oauth-openshift
  Allowing ingress traffic:
    To Port: 6443/TCP
    From: <any> (traffic not restricted by source)
  Not affecting egress traffic
  Policy Types: Ingress


Name:         openshift-ingress
Namespace:    clusters-hcp
Created on:   2024-08-31 02:45:33 +0530 IST
Labels:       <none>
Annotations:  hypershift.openshift.io/cluster: clusters/hcp
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      NamespaceSelector: network.openshift.io/policy-group=ingress
  Not affecting egress traffic
  Policy Types: Ingress


Name:         openshift-monitoring
Namespace:    clusters-hcp
Created on:   2024-08-31 02:45:33 +0530 IST
Labels:       <none>
Annotations:  hypershift.openshift.io/cluster: clusters/hcp
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      NamespaceSelector: network.openshift.io/policy-group=monitoring
  Not affecting egress traffic
  Policy Types: Ingress


Name:         same-namespace
Namespace:    clusters-hcp
Created on:   2024-08-31 02:45:33 +0530 IST
Labels:       <none>
Annotations:  hypershift.openshift.io/cluster: clusters/hcp
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      PodSelector: <none>
  Not affecting egress traffic
  Policy Types: Ingress

      Now, there's no netpol to allow traffic to ignition-server-proxy pods for which a NodePort SVC is present due to which as expected the request to HCP ignition endpoint times out.

       

      $ oc get svc ignition-server-proxy
NAME                    TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
ignition-server-proxy   NodePort   172.30.97.146   <none>        443:32658/TCP   8m57s

$ oc describe svc ignition-server-proxy
Name:                     ignition-server-proxy
Namespace:                clusters-hcp
Labels:                   <none>
Annotations:              <none>
Selector:                 app=ignition-server-proxy
Type:                     NodePort
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       172.30.97.146
IPs:                      172.30.97.146
Port:                     https  443/TCP
TargetPort:               https/TCP
NodePort:                 https  32658/TCP
Endpoints:                10.128.2.57:8443,10.129.2.108:8443,10.131.0.63:8443
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

$ curl -v -k -H "Authorization: Bearer ZDQ0MDVjNDktZTNlMy00ZjU1LWFlMDEtYmVmYmRlOTRlNDk0" https://api.hcp.aygarg.indiashift.support:32658/ignition
* Host api.hcp.aygarg.indiashift.support:32658 was resolved.
* IPv6: (none)
* IPv4: 10.0.88.191, 10.0.21.43, 10.0.51.54
*   Trying 10.0.88.191:32658..

       

       

       

      It works only after manually creating a network policy to allow the traffic.

       

      $ cat ignition-netpol
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: nodeport-ignition-proxy
  namespace: clusters-hcp
spec:
  ingress:
  - ports:
    - port: 8443
      protocol: TCP
  podSelector:
    matchLabels:
      app: ignition-server-proxy
  policyTypes:
  - Ingress


$ oc create -f ignition-netpol
networkpolicy.networking.k8s.io/nodeport-ignition-proxy created 

$ curl -v -k -H "Authorization: Bearer ZDQ0MDVjNDktZTNlMy00ZjU1LWFlMDEtYmVmYmRlOTRlNDk0" https://api.hcp.aygarg.indiashift.support:32658/ignition
* Host api.hcp.aygarg.indiashift.support:32658 was resolved.
* IPv6: (none)
* IPv4: 10.0.51.54, 10.0.88.191, 10.0.21.43
*   Trying 10.0.51.54:32658...
* Connected to api.hcp.aygarg.indiashift.support (10.0.51.54) port 32658
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: O=openshift; CN=ignition-server
*  start date: Aug 30 21:16:43 2024 GMT
*  expire date: Aug 30 21:16:43 2025 GMT
*  issuer: OU=openshift; CN=ignition-root-ca
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /ignition HTTP/1.1
> Host: api.hcp.aygarg.indiashift.support:32658
> User-Agent: curl/8.5.0
> Accept: */*
> Authorization: Bearer ZDQ0MDVjNDktZTNlMy00ZjU1LWFlMDEtYmVmYmRlOTRlNDk0
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 200 OK
< date: Fri, 30 Aug 2024 21:28:27 GMT
< content-type: text/plain; charset=utf-8
< transfer-encoding: chunked
<
{"ignition"

       

       

       

       

       

       

              jparrill@redhat.com Juan Manuel Parrilla Madrid
              rhn-support-aygarg Ayush Garg
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: