Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-50489

Missing endpoint slices for open ports the operator uses

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • 4.20
    • 4.16, 4.17, 4.18, 4.19, 4.20
    • kube-apiserver
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • Done
    • Enhancement
    • Hide
      In this update, the communication flow matrix for {product-title} is improved by generating services for primary open ports 17697 Transmission Control Protocol (TCP) and 6080 (TCP) on the primary node. This ensures that all open ports have their exact endpoint slices, resulting in right and up-to-date communication flow matrices. This enhancement boosts the overall security and efficiency of the communication flow.
      ______
      Add missing ports 17697/TCP and 6080/TCP to the kube-apiserver Service.
      This ensures that all ingress communication flows are represented in EndpointSlice resources and the OpenShift communication matrix.
      Show
      In this update, the communication flow matrix for {product-title} is improved by generating services for primary open ports 17697 Transmission Control Protocol (TCP) and 6080 (TCP) on the primary node. This ensures that all open ports have their exact endpoint slices, resulting in right and up-to-date communication flow matrices. This enhancement boosts the overall security and efficiency of the communication flow. ______ Add missing ports 17697/TCP and 6080/TCP to the kube-apiserver Service. This ensures that all ingress communication flows are represented in EndpointSlice resources and the OpenShift communication matrix.
    • None
    • None
    • None
    • None

      Description of problem:

      The communication matrix project aims to automatically generate an accurate and up-to-date communication flows matrix that can be delivered to customers as part of product documentation for all ingress flows of OpenShift (see documented communication matrix example[https://docs.openshift.com/container-platform/4.16/installing/install_config/configuring-firewall.html#network-flow-matrix_configuring-firewall]).
      The communication matrix consists of the cluster's endpoint slices which are created automatically for every service on the cluster. Your operator includes some open ports with missing services, and by that there are missing endpoint slices. To solve this issue, please add service to the following ports: 17697 (master node, TCP protocol), 6080 (master node, TCP protocol).

      Version-Release number of selected component (if applicable):

          

      How reproducible:

      Compare between endpoint slices to open ports.

      Steps to Reproduce:

      1. Get endpoint slices:
      run the following command: `oc get endpointslices -n <operator's-namespace>`
      
      2. Get open ports:
      Make sure the `ss` command is available within your pod - if not use the following command to install iprune2 on your pod: `dnf install -y iproute`
      In order to get ports using TCP protocol run from your node:
      `ss -anpltH`
      In order to get ports using UDP protocol run from your node:
      `ss -anpluH`
      
      3. Compare the ports between the outputs.

      Actual results:

      The following ports are missing endpoint slices: 17697 (master node, TCP protocol), 6080 (master node, TCP protocol).

      Expected results:

      Every open port will have an endpoint slice.

      Additional info:

      In order to resolve this issue, service should be created for the following ports: 17697 (master node, TCP protocol), 6080 (master node, TCP protocol). The endpoint slices should be created automatically once the service is up.

              Unassigned Unassigned
              rh-ee-shmoran Shir Moran
              None
              None
              Ke Wang Ke Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: