New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes Ingress Load Balancer ACL #1893
Conversation
The ACL was accidentally being configured on the cluster load balancer instead of the gateway load balancer. Signed-off-by: Tim Rozet <trozet@redhat.com>
@@ -371,6 +371,10 @@ func (ovn *Controller) createService(service *kapi.Service) error { | |||
break | |||
} | |||
if svcQualifiesForReject(service) { | |||
gateways, _, err := ovn.getOvnGateways() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note, looking over the createService function there is a lot of duplication of code that and some of this stuff doesn't make much sense anymore. I'll look at cleaning up this function in another PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@trozet I 've tested it only adding the reject ACL on the portgroup and it works for clusterIP and NodePorts for me, but maybe I 'm missing something, what do we need to add reject on the switches if it will be always rejected by the portgroup?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
think about shared gateway mode and a packet coming into OVN GR destined for the host IP (node Port). It will end up hitting the IP of the GR and the GR will consume the packet. That's why we have load balancer there. If you put the ACL for node port on the portgroup only, the ACL would never block external access to the node port, because the DNAT would have already happened in the GR. For ingress load balancer, the GR may forward that to cluster router, but then cluster router woudln't know what do with it and probably route it back out the DGP and definitely not to the worker switch, so that would never hit the port group ACL either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
, the ACL would never block external access to the node port, because the DNAT would have already happened in the GR
if there are no endpoints ... what DNAT is performed?
this is working for me if (in local mode) if I add a reject to the VIP fo the (nodePortIP:NodePortPort) and add it to the PortGroup
my question is, which ports belong to the clusterPortGroup?
I didn't tried in shared gw though
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just confirmed that services without endpoints reject correctly in local gateway mode using an ACL for portgroups only, because the NodePort adds iptables rules to the ClusterIP
I need to test in shared gw with ACL for portgroups only, but there are more things failing with shared gw and nodeports
running this downstream to make sure: |
/lgtm But regardless, it passes our downstream CI, so it's clearly more correct than what was there before. |
…lus-fix OCPBUGS-19449: Do not return error if pod IP cannot be retrieved for `podSelectorPodNeedsDelete` and perf improvements
The ACL was accidentally being configured on the cluster load balancer
instead of the gateway load balancer.
Signed-off-by: Tim Rozet trozet@redhat.com