Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-61941

allowedCIDRBlocks bypassed when kube-apiserver uses Route publishing strategy with external DNS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.18, 4.19, 4.20, 4.21
    • HyperShift
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • Proposed
    • Bug Fix
    • Hide
      *Cause*: When a HyperShift HostedCluster uses external DNS domains, allowedCIDRBlocks are only applied to the internal kube-apiserver ClusterIP service, not the external router LoadBalancer service.
      *Consequence*: External clients can access the kube-apiserver from any IP address, bypassing configured CIDR restrictions.
      *Fix*: Added LoadBalancerSourceRanges configuration to the external router LoadBalancer service.
      *Result*: External kube-apiserver access is now properly restricted to the specified allowedCIDRBlocks.
      Show
      *Cause*: When a HyperShift HostedCluster uses external DNS domains, allowedCIDRBlocks are only applied to the internal kube-apiserver ClusterIP service, not the external router LoadBalancer service. *Consequence*: External clients can access the kube-apiserver from any IP address, bypassing configured CIDR restrictions. *Fix*: Added LoadBalancerSourceRanges configuration to the external router LoadBalancer service. *Result*: External kube-apiserver access is now properly restricted to the specified allowedCIDRBlocks.
    • None
    • None
    • None
    • None

      Description of problem:

      When HostedCluster is configured with external DNS domains (triggering Route publishing strategy for kube-apiserver), the `allowedCIDRBlocks` configuration in `spec.networking.apiServer.allowedCIDRBlocks` does not restrict external access to the kube-apiserver. The CIDR restrictions are incorrectly applied only to the kube-apiserver ClusterIP service, while external traffic flows through the unrestricted router LoadBalancer service.

      Version-Release number of selected component (if applicable):

          HyperShift 4.21

      How reproducible:

          Always

      Steps to Reproduce:

      1. Create a HostedCluster with External DNS Domain on AWS platform
2. Set `spec.platform.aws.endpointAccess` to `PublicAndPrivate`
3. Configure `spec.networking.apiServer.allowedCIDRBlocks` with restricted CIDR ranges:
   ```yaml
   spec:
     networking:
       apiServer:
         allowedCIDRBlocks:
           - "10.0.0.0/8"
           - "192.168.1.0/24"
   ```
4. Deploy the cluster and wait for external router service to be created
5. Verify the external router service does not have `LoadBalancerSourceRanges` configured
6. Attempt to access the kube-apiserver from an IP outside the allowed ranges via the external endpoint  

      Actual results:

      - External router LoadBalancer service does not have `LoadBalancerSourceRanges` field configured
- External clients can access the kube-apiserver from any IP address through the router service
- The allowedCIDRBlocks configuration is completely ignored for external access

      Expected results:

      - External router LoadBalancer service should have `LoadBalancerSourceRanges` configured with the allowedCIDRBlocks values
- External access should be restricted to only the specified CIDR ranges
- Access attempts from outside allowed ranges should be blocked at the load balancer level

      Additional info:

      Traffic Flow:
```
External Client → External Router LoadBalancer → Router Pod → kube-apiserver (ClusterIP)
```

Current Implementation Problem:
- `allowedCIDRBlocks` are applied to kube-apiserver service's `LoadBalancerSourceRanges`
- With Router strategy and External DNs, kube-apiserver service is `ClusterIP` type (not externally accessible)
- External router service is `LoadBalancer` type but does NOT have `LoadBalancerSourceRanges` configured
- Result: CIDR restrictions are bypassed entirely

              rh-ee-mraee Mulham Raee
              rh-ee-mraee Mulham Raee
              None
              None
              Jie Zhao Jie Zhao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: