NetworkPolicies still block egress traffic to OIDC provider #8407
Labels
kind/bug
Categorizes issue or PR as related to a bug.
sig/networking
Denotes a PR or issue as being assigned to SIG Networking.
Description
The changes implemented as part of #8255 unfortunately don't allow egress traffic from the apiserver of a user cluster to the OIDC provider in all cases. Given the following situation, the network policy
oidc-issuer-allow
will still not allow the outgoing traffic:.status.loadBalancer.ingress
of a service of typeLoadBalancer
LoadBalancer
Ingress
In the situation described above the outgoing requests from the apiserver to the OIDC provider will not be routed to the external IP address of the loadbalancer, but directly to the cluster-internal IP addresses of the endpoints of the NGINX ingress controller service and therefore bypass the loadbalancer completely. Since the network policy
oidc-issuer-allow
whitelists only the external IP address of the configured OIDC provider (or in this case the external IP address of the loadbalancer), all requests will be blocked.This behavior is known and described in kubernetes/kubernetes#66607 and KEP-1860.
Steps to reproduce
kubectl --kubeconfig=... cluster-info
Environment
The text was updated successfully, but these errors were encountered: