Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-43520

GCP CAPI install is allowing ALL for kube-api firewall rule on private clusters.

XMLWordPrintable

    • None
    • Installer Sprint 261
    • 1
    • False
    • Hide

      None

      Show
      None

      Description of problem:

         When installing a GCP cluster with the CAPI based method, the kube-api firewall rule that is created always uses a source range of 0.0.0.0/0. In the prior terraform based method, internal published clusters were limited to the network_cidr. This change opens up the API to additional sources, which could be problematic such as in situations where traffic is being routed from a non-cluster subnet.

      Version-Release number of selected component (if applicable):

          4.17

      How reproducible:

          Always

      Steps to Reproduce:

          1. Install a cluster in GCP with publish: internal
    2.
    3.

      Actual results:

          Kube-api firewall rule has source of 0.0.0.0/0

      Expected results:

          Kube-api firewall rule has a more limited source of network_cidr

      Additional info:

            bfournie@redhat.com Robert Fournier
            jstuever@redhat.com Jeremiah Stuever
            Jianli Wei Jianli Wei
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: