Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60249

Missing endpoint slices for open ports the operator uses

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • In Progress
    • Enhancement
    • Hide
      The `cluster-policy-controller` service had a network port (10357) that was incorrectly open to outside networks. To fix this, the `cluster-policy-controller` was reconfigured to only accept connections from the `localhost`, avoiding exposing the port outside of the node network. (link:https://issues.redhat.com/browse/OCPBUGS-60249[OCPBUGS-60249])
      Show
      The `cluster-policy-controller` service had a network port (10357) that was incorrectly open to outside networks. To fix this, the `cluster-policy-controller` was reconfigured to only accept connections from the `localhost`, avoiding exposing the port outside of the node network. (link: https://issues.redhat.com/browse/OCPBUGS-60249 [ OCPBUGS-60249 ])
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-60131. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-53290. The following is the description of the original issue:

      Description of problem:

      The communication matrix project aims to automatically generate an accurate and up-to-date communication flows matrix that can be delivered to customers as part of product documentation for all ingress flows of OpenShift (see documented communication matrix example[https://docs.openshift.com/container-platform/4.16/installing/install_config/configuring-firewall.html#network-flow-matrix_configuring-firewall]).
The communication matrix consists of the cluster's endpoint slices which are created automatically for every service on the cluster. Your operator includes some open ports that are not connected to a service, and by that there are missing endpoint slices. To solve this issue, please connect a service to the following ports: 10357 (master node, TCP protocol).

      Version-Release number of selected component (if applicable):

      How reproducible:

      Compare between endpoint slices to open ports.

      Steps to Reproduce:

      1. Get endpoint slices: run the following command: `oc get endpointslices -n <operator's-namespace>` 

2. Get open ports: Make sure the `ss` command is available within your pod - if not use the following command to install iprune2 on your pod: `dnf install -y iproute` In order to get ports using TCP protocol run from your node: `ss -anpltH` In order to get ports using UDP protocol run from your node: `ss -anpluH` 

3. Compare the ports between the outputs.

      Actual results:

      The following ports are missing endpoint slices: 10357 (master node, TCP protocol).

      Expected results:

      Every open port will have an endpoint slice.

      Additional info:

      In order to resolve this issue, a service should be connected to the following ports: 10357 (master node, TCP protocol). The endpoint slices should be created automatically once the service is up.

              jchaloup@redhat.com Jan Chaloupka
              rh-ee-shmoran Shir Moran
              None
              None
              Ying Zhou Ying Zhou
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: