-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.20, 4.21
Description of problem:
The 4.20+ operator-marketplace added a NetworkPolicy to deny all egress by default: https://github.com/operator-framework/operator-marketplace/blob/e88619ea60753b276b2d813e050d8cfbbfce5a41/manifests/13_networkpolicy_default-deny.yaml There are two network policies to allow certain pods KAS access: - https://github.com/operator-framework/operator-marketplace/blob/e88619ea60753b276b2d813e050d8cfbbfce5a41/manifests/14_networkpolicy_marketplace-operator.yaml#L26 - https://github.com/operator-framework/operator-marketplace/blob/e88619ea60753b276b2d813e050d8cfbbfce5a41/manifests/15_networkpolicy_unpack-bundles.yaml#L27 However, this port is hardcoded `6443`. HyperShift allows the port to be customized where KAS is available on the node, so if `hostedcluster.spec.networking.apiServer.port` is set to anything, but the default `6443`, all pods in the namespace will be unable to access KAS.
Version-Release number of selected component (if applicable):
4.20+
How reproducible:
Always
Steps to Reproduce:
1. Set `hostedcluster.spec.networking.apiServer.port` to `2040` 2. Try to install an operator like GitOps
Actual results:
Observe, that the unpack-bundle pods fail with ``` Error: error loading manifests from directory: Get "https://172.21.0.1:443/api/v1/namespaces/openshift-marketplace/configmaps/686dc2c1aafed816a1208a089f7611e971fbacc4da53579fa8e3dfc2cff895c": dial tcp 172.21.0.1:443: i/o timeout ```
Expected results:
Installing an operator works
Additional info:
It is possible that `olmCatalogPlacement: "guest"` must be set as well for this issue to occur, I have not tested this with anything else