EK DNS netpol does not allow port 5353 for Openshift
Bug
Description
Attempting to deploy a fresh bigbang 1.11.0, all the logging-ek-* pods fail to come up. I was able to find this error in the elasticsearch container logs:
BindTransportException[Failed to resolve publish address]; nested: UnknownHostException[logging-ek-es-data-0.logging-ek-es-data.logging.svc: Name or service not known]; Likely root cause: java.net.UnknownHostException: logging-ek-es-data-0.logging-ek-es-data.logging.svc: Name or service not known
Openshift version 4.6.4
Found that removing all network policies in the logging namespace allows all the pods to come up succesfully.
BigBang Version
1.11.0
Activity
assigned to @ryan.j.garcia and @kenna81
@dyoung do you have a value set for
networkPolicies.controlPlaneCidr? As well asopenshift.enabled=truewithin the bigbang chart values?Edited by Ryan Garcia-
@dyoung we'll need some info if you will be able to exec into the pods and run some curl commands, along with what openshift version you're running. If you can exec into one of the
logging-ek-es-data-#pods and try and curl one of those endpoints it says "Name or service not known" for and verify in-cluster DNS resolution is truly blocked.That issue above has been seen before but was fixed in versions of the elasticsearch-kibana package a few weeks ago.
We have a specific network policy to allow DNS communication specifically to alleviate this issue, please ensure this networkpolicy is present when networkPolicies are enabled: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/-/blob/main/chart/templates/bigbang/networkpolicies/kube-dns-egress.yaml
Edited by Ryan Garcia 
@ryan.j.garcia we don't have openshift.enabled=true, but we have openshift: true, which is how we've always had it.
looks like we're using the default of controlPlaneCidr: 0.0.0.0/0
We are using openshift version 4.6.4.
I can definitely exec in and run some curl tests. I'll look for that netpol now and try some curls to verify DNS access
-
Looks like DNS is blocked:
[istio-proxy@logging-ek-es-data-0 /]$ curl -G logging-ek-es-data-0.logging-ek=es=data.logging.svc curl: (6) Could not resolve host: logging-ek-es-data-0.logging-ek=es=data.logging.svcAnd I do see that allow-dns-egress netpol in my cluster's logging ns:
spec: podSelector: {} egress: - ports: - protocol: UDP port: 53 to: - namespaceSelector: {} policyTypes: - EgressEdited by Duncan Young changed milestone to %1.14.0
changed iteration to Big Bang Iterations Jul 27, 2021 - Aug 9, 2021
unassigned @kenna81 and @ryan.j.garcia
added Good First Issue kindenhancement logging labels
added BB Customer Issues label
changed iteration to Big Bang Iterations Jul 13, 2021 - Jul 26, 2021
changed milestone to %1.13.0
changed milestone to %1.14.0
changed iteration to Big Bang Iterations Jul 27, 2021 - Aug 9, 2021
assigned to @blloyd
added statusdoing label
changed iteration to Big Bang Iterations Jul 13, 2021 - Jul 26, 2021
mentioned in merge request !677 (closed)
Submitted MR:
https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/-/merge_requests/59
Will submit second MR when approved
added statusreview label and removed statusdoing label
changed iteration to Big Bang Iterations Jul 27, 2021 - Aug 9, 2021
https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana/-/merge_requests/59 approved moving to doing.
added statusdoing label and removed statusreview label
mentioned in merge request !716 (merged)
-
added statusreview label and removed statusdoing label
closed with merge request !716 (merged)
mentioned in commit bf2ffab6
removed statusreview label