Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.16
Component/s: Networking / ingress-node-firewall
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

We want to disable ICMP on both worker and master nodes. While installing and configuring the Ingress Node Firewall Operator, we noticed that when creating the IngressNodeFirewallConfig (INFC) resource to get the DaemonSet pods running based on the nodeSelector, we can configure it for either master nodes or worker nodes, but not both at the same time. 
If we try to include both roles or create a separate INFC with a different name, it doesn’t work. If we keep either of it only then it works fine. There is no mention of it in the documentation.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Step 1: Install the Ingress Node Firewall Operator

Step 2: Annotate the target namespace to allow privileged workloads
"oc annotate ns/openshift-ingress-node-firewall workload.openshift.io/allowed=management" 

Step 3: Created the IngressNodeFirewallConfig object. This configures the daemonset on selected nodes via a nodeSelector.

~~~
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: IngressNodeFirewallConfig
metadata:
  name: ingressnodefirewallconfig
  namespace: openshift-ingress-node-firewall
spec:
  nodeSelector:
    node-role.kubernetes.io/worker: ""
~~~

After applying this, the operator successfully deployed firewall pods to all worker nodes:
~~~
$ oc get pods -n openshift-ingress-node-firewall
NAME                                                        READY   STATUS    RESTARTS   AGE
ingress-node-firewall-controller-manager-6b8dcb8bc5-ghxqd   2/2     Running   0          27m
ingress-node-firewall-daemon-8mnmg                          3/3     Running   0          4s
ingress-node-firewall-daemon-cqsxz                          3/3     Running   0          4s
ingress-node-firewall-daemon-h8sd6                          3/3     Running   0          4s
~~~

Now tried creating INFC for both master and workers which doesn't work.
~~~
apiVersion: ingressnodefirewall.openshift.io/v1alpha1
kind: IngressNodeFirewallConfig
metadata:
  name: ingressnodefirewallconfig
  namespace: openshift-ingress-node-firewall
spec:
  nodeSelector:
    node-role.kubernetes.io/worker: ""
    node-role.kubernetes.io/master: ""
~~~  

Even creating a separate INFC with a different name doesn’t work.

Actual results:

Expected results:

    Want to disable ICMP for all the nodes i.e workers and masters both.

Additional info:

Assignee:: Ed Keen

Reporter:: Harshada Patil

Need Info From:: None

Contributors:: None

QA Contact:: Anurag Saxena

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/09/10 12:46 PM

Updated:: 2025/09/30 3:38 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide