Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-43046

Traffic to audit-webhook:8443 getting routed through Konnectivity proxy in ROSA

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.14, 4.15, 4.16, 4.17
    • HyperShift
    • Important
    • None
    • Hypershift Sprint 260, Hypershift Sprint 261
    • 2
    • False
    • Hide

      None

      Show
      None
    • Hide
      *cause* - In managed services, audit logs are sent to a local webhook service
      *consequence* - control plane deployments that send traffic through konnectivity are attempting to send the audit webhook traffic through the konnectivity proxy (openshift-apiserver and oauth-openshift).
      *fix* - include the audit-webhook in the list of no_proxy hosts for the affected pods
      *result* - audit log traffic sent to the audit-webhook is successfully sent
      Show
      *cause* - In managed services, audit logs are sent to a local webhook service *consequence* - control plane deployments that send traffic through konnectivity are attempting to send the audit webhook traffic through the konnectivity proxy (openshift-apiserver and oauth-openshift). *fix* - include the audit-webhook in the list of no_proxy hosts for the affected pods *result* - audit log traffic sent to the audit-webhook is successfully sent
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-42974. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-42873. The following is the description of the original issue:

      Description of problem:

      openshift-apiserver that sends traffic through konnectivity proxy is sending traffic intended for the local audit-webhook service. The audit-webhook service should be included in the NO_PROXY env var of the openshift-apiserver container.

      4.14.z,4.15.z,4.15.z,4.16.z

          How reproducible:{code:none} Always

      Steps to Reproduce:

          1. Create a rosa hosted cluster
    2. Obeserve logs of the konnectivity-proxy sidecar of openshift-apiserver
    3.

      Actual results:

           Logs include requests to the audit-webhook local service

      Expected results:

            Logs do not include requests to audit-webhook

      Additional info:

            agarcial@redhat.com Alberto Garcia Lamela
            openshift-crt-jira-prow OpenShift Prow Bot
            He Liu He Liu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: