Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-69761

allowedCIDRBlocks removed should also remove the LoadBalancerSourceRanges for the external router LoadBalancer service

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • None
    • None
    • None
    • None
    • Rejected
    • None
    • In Progress
    • Bug Fix
    • Hide
      *Cause*: When a HyperShift HostedCluster uses external DNS domains, allowedCIDRBlocks are only applied to the internal kube-apiserver ClusterIP service, not the external router LoadBalancer service.
      *Consequence*: External clients can access the kube-apiserver from any IP address, bypassing configured CIDR restrictions.
      *Fix*: Added LoadBalancerSourceRanges configuration to the external router LoadBalancer service.
      *Result*: External kube-apiserver access is now properly restricted to the specified allowedCIDRBlocks.
      Show
      *Cause*: When a HyperShift HostedCluster uses external DNS domains, allowedCIDRBlocks are only applied to the internal kube-apiserver ClusterIP service, not the external router LoadBalancer service. *Consequence*: External clients can access the kube-apiserver from any IP address, bypassing configured CIDR restrictions. *Fix*: Added LoadBalancerSourceRanges configuration to the external router LoadBalancer service. *Result*: External kube-apiserver access is now properly restricted to the specified allowedCIDRBlocks.
    • None
    • None
    • None
    • None

      Description of problem:

      When HostedCluster is configured with external DNS domains , the `allowedCIDRBlocks` configuration in `spec.networking.apiServer.allowedCIDRBlocks` removed. The CIDR restrictions are still applied to external traffic flows through the unrestricted router LoadBalancer service.

      Version-Release number of selected component (if applicable):

          HyperShift 4.21

      How reproducible:

          Always

      Steps to Reproduce:

      1. Create a HostedCluster with External DNS Domain on AWS platform
2. Set `spec.platform.aws.endpointAccess` to `PublicAndPrivate`
3. Configure `spec.networking.apiServer.allowedCIDRBlocks` with restricted CIDR ranges:
   ```yaml
   spec:
     networking:
       apiServer:
         allowedCIDRBlocks:
           - "100.48.157.95/32"
           - "54.237.188.126/32"
...
   ```
4. Deploy the cluster and wait for external router service to be created
5. Remove the `spec.networking.apiServer.allowedCIDRBlocks`;

      Actual results:

      - External router LoadBalancer service still have `LoadBalancerSourceRanges` field configured : 


oc get hc 42bf4c7dc31c50417e48 -o=jsonpath={.spec.networking} |jq
{
  "clusterNetwork": [
    {
      "cidr": "10.132.0.0/14"
    }
  ],
  "machineNetwork": [
    {
      "cidr": "10.0.0.0/16"
    }
  ],
  "networkType": "OVNKubernetes",
  "serviceNetwork": [
    {
      "cidr": "172.31.0.0/16"
    }
  ]
}



oc get svc router -n clusters-42bf4c7dc31c50417e48 -o jsonpath='{.spec.loadBalancerSourceRanges}' |jq
[
  "100.48.157.95/32",
  "54.237.188.126/32",
  "100.49.106.204/32"
]

      Expected results:

      - External router LoadBalancer service should remove `LoadBalancerSourceRanges` configured

      Additional info:

       

              rh-ee-mraee Mulham Raee
              yinzhou@redhat.com Ying Zhou
              None
              None
              Ying Zhou Ying Zhou
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: