This is a clone of issue OCPBUGS-62121. The following is the description of the original issue:
—
Description of problem:
4.20+ Cluster Storage Operator added a NetworkPolicy to deny all egress by default: https://github.com/openshift/cluster-storage-operator/blob/0d84b8a1273851b9766d46ecc418dc72aa99315e/manifests/0000_90_cluster-storage-operator_10_network-policy-cso-deny-all.yaml#L4 There is a podSelector NetworkPolicy with a label selector to allow certain pods KAS access: https://github.com/openshift/cluster-storage-operator/blob/0d84b8a1273851b9766d46ecc418dc72aa99315e/manifests/09_network-policy-cso-allow-egress-to-api-server.yaml#L19 However, this port is hardcoded `6443`. HyperShift allows the port to be customized where KAS is available on the node, so if `hostedcluster.spec.networking.apiServer.port` is set to anything, but the default `6443`, all pods in the namespace will be unable to access KAS.
Version-Release number of selected component (if applicable):
4.20+
How reproducible:
Always
Steps to Reproduce:
1. Set `hostedcluster.spec.networking.apiServer.port` to `2040`
Actual results:
Observe pods in `openshift-cluster-storage-operator` fail to reach KAS
Expected results:
Cluster Storage Operator works fine
Additional info:
https://github.com/openshift/cluster-storage-operator/pull/596
- clones
-
OCPBUGS-62121 Cluster Storage Operator's allow-egress-to-api-server NetworkPolicy is not compatible with HyperShift's KAS port customization
-
- Verified
-
- is blocked by
-
-
- Verified
-
- links to