-
Feature
-
Resolution: Unresolved
-
Critical
-
None
-
None
Feature Overview (aka. Goal Summary)
Resolve network operators that have open ports without services (missing EndpointSlices).
Goals (aka. expected user outcomes)
The goal of this Feature is to ensure there are no missing EndpointSlices (created automatically for every service on the cluster) as the result of core networking operator deployment, as identified by the Communication Matrix Project. **
The Communication Matrix Project has identified that 3 network operators (detailed below) include open ports with missing services. Missing EndpointSlices currently identified:
- openshift-sdn:
- 18080 (worker and master nodes, TCP protocol)
- 9444 (master node, TCP protocol)
- 9445 (master node, TCP protocol)
- 53 (worker and master node, TCP and UDP protocols
- ovn-kuberentes:
- 9107 (worker and master nodes, TCP protocol)
- 10256 (worker and master nodes, TCP protocol)
- 6081 (worker and master nodes, UDP protocol)
- cluster-network-operator:
- 8080 (master node, TCP protocol)
Requirements (aka. Acceptance Criteria):
Ensure there are no missing EndpointSlices that are the result of OpenShift Networking operators.
To find EndpointSlices without corresponding Services:
kubectl get endpointslices -A -o json | jq '.items[] | select(.metadata.ownerReferences == null)'
Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed. Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.
| Deployment considerations | List applicable specific needs (N/A = not applicable) |
| Self-managed, managed, or both | |
| Classic (standalone cluster) | |
| Hosted control planes | |
| Multi node, Compact (three node), or Single node (SNO), or all | |
| Connected / Restricted Network | |
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | |
| Operator compatibility | |
| Backport needed (list applicable versions) | |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | |
| Other (please specify) |
Use Cases:
- As an OpenShift administrator, cluster security requires that any unused ports opened by OpenShift Operators be closed or firewalled for security purposes, and only necessary ports are exposed.
Questions to Answer:
Out of Scope
Background
- EndpointSlices are references to a subset of Pod IPs and ports that implement a Service.
- The Communication Matrix Project aims to automatically generate an accurate and up-to-date communication flows matrix that can be delivered to customers as part of product documentation for all ingress flows of OpenShift.
- The communication matrix is designed to help customers apply nftables rules appropriately based on the required ports for operating an OpenShift cluster.
- For accurate documentation, all ports must have corresponding EndpointSlices.
- Any ports that don't appear in this matrix would be blocked for use.
Documentation Considerations