Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.17, 4.18
Component/s: Installer / openshift-installer
Labels:
- triaged

Regression:
None
Sprint:
Installer Sprint 261
sprint_count:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, when you installed a private cluster on {gcp-first}, the API firewall rule used the source range of `0.0.0.0/0`. This address allowed non-cluster resources unintended access to the private cluster. With this release, the API firewall rule now only allows resources that have source ranges in the Machine Network to access the private cluster. (link:https://issues.redhat.com/browse/OCPBUGS-43786[*~~OCPBUGS-43786~~*])

Show
* Previously, when you installed a private cluster on {gcp-first}, the API firewall rule used the source range of `0.0.0.0/0`. This address allowed non-cluster resources unintended access to the private cluster. With this release, the API firewall rule now only allows resources that have source ranges in the Machine Network to access the private cluster. (link: https://issues.redhat.com/browse/OCPBUGS-43786 [* OCPBUGS-43786 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.17.z
Target Backport Versions:

4.17.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue OCPBUGS-43520. The following is the description of the original issue:
—
Description of problem:

   When installing a GCP cluster with the CAPI based method, the kube-api firewall rule that is created always uses a source range of 0.0.0.0/0. In the prior terraform based method, internal published clusters were limited to the network_cidr. This change opens up the API to additional sources, which could be problematic such as in situations where traffic is being routed from a non-cluster subnet.

Version-Release number of selected component (if applicable):

    4.17

How reproducible:

    Always

Steps to Reproduce:

    1. Install a cluster in GCP with publish: internal
    2.
    3.

Actual results:

    Kube-api firewall rule has source of 0.0.0.0/0

Expected results:

    Kube-api firewall rule has a more limited source of network_cidr

Additional info:

clones

OCPBUGS-43520 GCP CAPI install is allowing ALL for kube-api firewall rule on private clusters.

Verified

is blocked by

OCPBUGS-43520 GCP CAPI install is allowing ALL for kube-api firewall rule on private clusters.

Verified

links to

openshift/installer#9138: [release-4.17] OCPBUGS-43786: Limit GCP API firewall rule for internal clusters

RHBA-2024:8981 OpenShift Container Platform 4.17.z bug fix update

Assignee:: Robert Fournier

Reporter:: OpenShift Prow Bot

QA Contact:: Jianli Wei

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/10/24 11:35 AM

Updated:: 2024/11/13 4:14 AM

Resolved:: 2024/11/13 4:14 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates