Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-46075

Traffic to audit-webhook:8443 getting routed through Konnectivity proxy in ROSA

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.14, 4.15, 4.16, 4.17
    • HyperShift
    • Important
    • None
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, in managed services, audit logs are sent to a local webhook service. Control plane deployments sent traffic through `konnectivity` and attempted to send the audit webhook traffic through the `konnectivity` proxies - `openshift-apiserver` and `oauth-openshift`. With this release, the audit-webhook is in the list of no_proxy hosts for the affected pods, and the audit log traffic that is sent to the audit-webhook is successfully sent. (link:https://issues.redhat.com/browse/OCPBUGS-43046[*OCPBUGS-43046*])
      ====

      *cause* - In managed services, audit logs are sent to a local webhook service
      *consequence* - control plane deployments that send traffic through konnectivity are attempting to send the audit webhook traffic through the konnectivity proxy (openshift-apiserver and oauth-openshift).
      *fix* - include the audit-webhook in the list of no_proxy hosts for the affected pods
      *result* - audit log traffic sent to the audit-webhook is successfully sent
      Show
      Previously, in managed services, audit logs are sent to a local webhook service. Control plane deployments sent traffic through `konnectivity` and attempted to send the audit webhook traffic through the `konnectivity` proxies - `openshift-apiserver` and `oauth-openshift`. With this release, the audit-webhook is in the list of no_proxy hosts for the affected pods, and the audit log traffic that is sent to the audit-webhook is successfully sent. (link: https://issues.redhat.com/browse/OCPBUGS-43046 [* OCPBUGS-43046 *]) ==== *cause* - In managed services, audit logs are sent to a local webhook service *consequence* - control plane deployments that send traffic through konnectivity are attempting to send the audit webhook traffic through the konnectivity proxy (openshift-apiserver and oauth-openshift). *fix* - include the audit-webhook in the list of no_proxy hosts for the affected pods *result* - audit log traffic sent to the audit-webhook is successfully sent
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-43046. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-42974. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-42873. The following is the description of the original issue:

      Description of problem:

      openshift-apiserver that sends traffic through konnectivity proxy is sending traffic intended for the local audit-webhook service. The audit-webhook service should be included in the NO_PROXY env var of the openshift-apiserver container.
      
          

      4.14.z,4.15.z,4.15.z,4.16.z

          How reproducible:{code:none} Always
      
          

      Steps to Reproduce:

          1. Create a rosa hosted cluster
          2. Obeserve logs of the konnectivity-proxy sidecar of openshift-apiserver
          3.
          

      Actual results:

           Logs include requests to the audit-webhook local service
      
          

      Expected results:

            Logs do not include requests to audit-webhook 
          

      Additional info:

      
          

              agarcial@redhat.com Alberto Garcia Lamela
              openshift-crt-jira-prow OpenShift Prow Bot
              He Liu He Liu
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: