Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60834

Missing endpoint slices for open ports the operator uses

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • Done
    • Enhancement
    • Hide
      * Before this update, the `cluster-policy-controller` container exposed the `10357` port for all networks and the bind address was set to `0.0.0.0`. The port was exposed outside the host network for the node because the `kube-controller-manager` (KCM) pod manifest set the `hostNetwork` parameter to `true`. This port is used only for the container probe. With this enhancement, the bind address is updated to listen on the localhost only. As result, the node security is improved because the port is not exposed outside of the node network. (link:https://issues.redhat.com/browse/OCPBUGS-60834[OCPBUGS-60834])
      Show
      * Before this update, the `cluster-policy-controller` container exposed the `10357` port for all networks and the bind address was set to `0.0.0.0`. The port was exposed outside the host network for the node because the `kube-controller-manager` (KCM) pod manifest set the `hostNetwork` parameter to `true`. This port is used only for the container probe. With this enhancement, the bind address is updated to listen on the localhost only. As result, the node security is improved because the port is not exposed outside of the node network. (link: https://issues.redhat.com/browse/OCPBUGS-60834 [ OCPBUGS-60834 ])
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-60249. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-60131. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-53290. The following is the description of the original issue:

      Description of problem:

      The communication matrix project aims to automatically generate an accurate and up-to-date communication flows matrix that can be delivered to customers as part of product documentation for all ingress flows of OpenShift (see documented communication matrix example[https://docs.openshift.com/container-platform/4.16/installing/install_config/configuring-firewall.html#network-flow-matrix_configuring-firewall]).
      The communication matrix consists of the cluster's endpoint slices which are created automatically for every service on the cluster. Your operator includes some open ports that are not connected to a service, and by that there are missing endpoint slices. To solve this issue, please connect a service to the following ports: 10357 (master node, TCP protocol).

      Version-Release number of selected component (if applicable):

          

      How reproducible:

      Compare between endpoint slices to open ports.

      Steps to Reproduce:

      1. Get endpoint slices: run the following command: `oc get endpointslices -n <operator's-namespace>` 
      
      2. Get open ports: Make sure the `ss` command is available within your pod - if not use the following command to install iprune2 on your pod: `dnf install -y iproute` In order to get ports using TCP protocol run from your node: `ss -anpltH` In order to get ports using UDP protocol run from your node: `ss -anpluH` 
      
      3. Compare the ports between the outputs.

      Actual results:

      The following ports are missing endpoint slices: 10357 (master node, TCP protocol).

      Expected results:

      Every open port will have an endpoint slice.

      Additional info:

      In order to resolve this issue, a service should be connected to the following ports: 10357 (master node, TCP protocol). The endpoint slices should be created automatically once the service is up.

              jchaloup@redhat.com Jan Chaloupka
              rh-ee-shmoran Shir Moran
              None
              None
              Ying Zhou Ying Zhou
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: