Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-43520

GCP CAPI install is allowing ALL for kube-api firewall rule on private clusters.

XMLWordPrintable

    • None
    • Installer Sprint 261
    • 1
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, when installing a cluster on {gcp-first} using the CAPI-based method, the installer did not distinguish between internal and external load balancers while creating firewall rules. As a consequence, the firewall rule for internal load balancers was open to all IP sources, that is, `0.0.0.0/0`. With this release, the `cluster-api-provider-gcp` is updated to restrict firewall rules to the machine CIDR when using an internal load balancer. The firewall rule for internal load balancers is correctly limited to machine networks, that is, nodes in the cluster and the issue is resolved.
      (link:https://issues.redhat.com/browse/OCPBUGS-43520[*OCPBUGS-43520*])
      Show
      * Previously, when installing a cluster on {gcp-first} using the CAPI-based method, the installer did not distinguish between internal and external load balancers while creating firewall rules. As a consequence, the firewall rule for internal load balancers was open to all IP sources, that is, `0.0.0.0/0`. With this release, the `cluster-api-provider-gcp` is updated to restrict firewall rules to the machine CIDR when using an internal load balancer. The firewall rule for internal load balancers is correctly limited to machine networks, that is, nodes in the cluster and the issue is resolved. (link: https://issues.redhat.com/browse/OCPBUGS-43520 [* OCPBUGS-43520 *])
    • Bug Fix
    • In Progress

      Description of problem:

         When installing a GCP cluster with the CAPI based method, the kube-api firewall rule that is created always uses a source range of 0.0.0.0/0. In the prior terraform based method, internal published clusters were limited to the network_cidr. This change opens up the API to additional sources, which could be problematic such as in situations where traffic is being routed from a non-cluster subnet.

      Version-Release number of selected component (if applicable):

          4.17

      How reproducible:

          Always

      Steps to Reproduce:

          1. Install a cluster in GCP with publish: internal
    2.
    3.

      Actual results:

          Kube-api firewall rule has source of 0.0.0.0/0

      Expected results:

          Kube-api firewall rule has a more limited source of network_cidr

      Additional info:

              bfournie@redhat.com Robert Fournier
              jstuever@redhat.com Jeremiah Stuever
              Jianli Wei Jianli Wei
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: