Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-43046

Traffic to audit-webhook:8443 getting routed through Konnectivity proxy in ROSA

XMLWordPrintable

    • Important
    • None
    • Hypershift Sprint 260, Hypershift Sprint 261
    • 2
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, in managed services, audit logs are sent to a local webhook service. Control plane deployments sent traffic through `konnectivity` and attempted to send the audit webhook traffic through the `konnectivity` proxies - `openshift-apiserver` and `oauth-openshift`. With this release, the audit-webhook is in the list of no_proxy hosts for the affected pods, and the audit log traffic that is sent to the audit-webhook is successfully sent. (link:https://issues.redhat.com/browse/OCPBUGS-43046[*OCPBUGS-43046*])
      ====

      *cause* - In managed services, audit logs are sent to a local webhook service
      *consequence* - control plane deployments that send traffic through konnectivity are attempting to send the audit webhook traffic through the konnectivity proxy (openshift-apiserver and oauth-openshift).
      *fix* - include the audit-webhook in the list of no_proxy hosts for the affected pods
      *result* - audit log traffic sent to the audit-webhook is successfully sent
      Show
      Previously, in managed services, audit logs are sent to a local webhook service. Control plane deployments sent traffic through `konnectivity` and attempted to send the audit webhook traffic through the `konnectivity` proxies - `openshift-apiserver` and `oauth-openshift`. With this release, the audit-webhook is in the list of no_proxy hosts for the affected pods, and the audit log traffic that is sent to the audit-webhook is successfully sent. (link: https://issues.redhat.com/browse/OCPBUGS-43046 [* OCPBUGS-43046 *]) ==== *cause* - In managed services, audit logs are sent to a local webhook service *consequence* - control plane deployments that send traffic through konnectivity are attempting to send the audit webhook traffic through the konnectivity proxy (openshift-apiserver and oauth-openshift). *fix* - include the audit-webhook in the list of no_proxy hosts for the affected pods *result* - audit log traffic sent to the audit-webhook is successfully sent
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-42974. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-42873. The following is the description of the original issue:

      Description of problem:

      openshift-apiserver that sends traffic through konnectivity proxy is sending traffic intended for the local audit-webhook service. The audit-webhook service should be included in the NO_PROXY env var of the openshift-apiserver container.

      4.14.z,4.15.z,4.15.z,4.16.z

          How reproducible:{code:none} Always

      Steps to Reproduce:

          1. Create a rosa hosted cluster
    2. Obeserve logs of the konnectivity-proxy sidecar of openshift-apiserver
    3.

      Actual results:

           Logs include requests to the audit-webhook local service

      Expected results:

            Logs do not include requests to audit-webhook

      Additional info:

              agarcial@redhat.com Alberto Garcia Lamela
              openshift-crt-jira-prow OpenShift Prow Bot
              He Liu He Liu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: