Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-31896

[2230274] Test authentication policy from mesh fails from VM

XMLWordPrintable

      **
      This bug was originally open for the service-mesh team:
      https://issues.redhat.com/browse/OSSM-4551
      **

      Unable to perform curl request from a VM to a service running in the same service-mesh-member namespace. The same request sent from the VM's virt-launcher pod is successful.

      Version:
      Seen on a BM cluster (bm02-ibm) with version v4.11.5, and OpenShiftSDN CNI:

      oc get clusterversion
      NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.11.45   True        False         38h     Cluster version is 4.11.45

      oc get csv -A | grep Virtualization
      openshift-cnv                                      kubevirt-hyperconverged-operator.v4.11.5          OpenShift Virtualization                         4.11.5                    kubevirt-hyperconverged-operator.v4.11.4   Succeeded

      oc get csv -n istio-system       
      NAME                                       DISPLAY                                          VERSION                   REPLACES                     PHASE
      jaeger-operator.v1.42.0-5-0.1687199951.p   Red Hat OpenShift distributed tracing platform   1.42.0-5+0.1687199951.p   jaeger-operator.v1.34.1-5    Succeeded
      kiali-operator.v1.65.7                     Kiali Operator                                   1.65.7                    kiali-operator.v1.65.6       Succeeded
      servicemeshoperator.v2.4.1                 Red Hat OpenShift Service Mesh                   2.4.1-0                   servicemeshoperator.v2.4.0   Succeeded

      Steps:
      1. Create namespace service-mesh-test-service-mesh

      2. Create a ServiceMeshMemberRoll default:
      cat << EOF | oc create -f -
      apiVersion: maistra.io/v1
      kind: ServiceMeshMemberRoll
      metadata:
        name: default
        namespace: istio-system
      spec:
        members:
        - service-mesh-test-service-mesh
      EOF

      3. Create a VM service-mesh-vm:
      cat << EOF | oc create -f -
      apiVersion: kubevirt.io/v1
      kind: VirtualMachine
      metadata:
        name: service-mesh-vm
        namespace: service-mesh-test-service-mesh
      spec:
        running: true
        template:
          metadata:
            annotations:
              sidecar.istio.io/inject: 'true'
            labels:
              debugLogs: 'true'
              kubevirt.io/domain: service-mesh-vm
              kubevirt.io/vm: service-mesh-vm
          spec:
            domain:
              devices:
                disks:
                - disk:
                    bus: virtio
                  name: containerdisk
                rng: {}
              resources:
                requests:
                  memory: 128M
            volumes:
            - containerDisk:
                image: kubevirt/cirros-container-disk-demo:latest
              name: containerdisk
      EOF

      4. Create a Service service-mesh-vm-service-mesh-vm:
      cat << EOF | oc create -f -
      apiVersion: v1
      kind: Service
      metadata:
        name: service-mesh-vm-service-mesh-vm
        namespace: service-mesh-test-service-mesh
      spec:
        ipFamilyPolicy: null
        ports:
        - port: 8000
          protocol: TCP
        selector:
          kubevirt.io/domain: service-mesh-vm
        sessionAffinity: None
        type: null
      EOF

      5. Create Deployment httpbin-v1-dp:
      cat << EOF | oc create -f -
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: httpbin-v1-dp
        namespace: service-mesh-test-service-mesh
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: httpbin
            version: v1
        template:
          metadata:
            annotations:
              sidecar.istio.io/inject: 'true'
            labels:
              app: httpbin
              version: v1
          spec:
            containers:
            - command:
              - gunicorn
              - -b
              - 0.0.0.0:8000
              - httpbin:app
              - -k
              - gevent
              image: quay.io/verygoodsecurity/httpbin:0.1.80
              imagePullPolicy: Always
              name: httpbin-v1-dp
              ports:
              - containerPort: 8080
            restartPolicy: Always
            serviceAccountName: httpbin
      EOF

      6. Create ServiceAccount httpbin:
      cat << EOF | oc create -f -
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: httpbin
        namespace: service-mesh-test-service-mesh

      EOF

      7. Create Service httpbin:
      cat << EOF | oc create -f -
      apiVersion: v1
      kind: Service
      metadata:
        name: httpbin
        namespace: service-mesh-test-service-mesh
      spec:
        ports:
        - port: 8000
          protocol: TCP
        selector:
          app: httpbin
      EOF

      8. Create PeerAuthentication default-pa:
      cat << EOF | oc create -f -
      apiVersion: security.istio.io/v1beta1
      kind: PeerAuthentication
      metadata:
        name: default-pa
        namespace: service-mesh-test-service-mesh
      spec:
        mtls:
          mode: STRICT
      EOF

      9. Connect to the VM:
      virtctl console service-mesh-vm

      10. Send a curl request to the httpbin service:
      curl http://httpbin:8000/ip

      Expected output:

      {   "origin": "127.0.0.6" }

      Actual output:
      curl: (6) Couldn't resolve host 'httpbin'

      If in steps 9-10, I'll connect to the VM virt-launcher pod and run the same curl command:
      oc exec -it virt-launcher-service-mesh-vm – bash

      I'll get the expected output containing the 127.0.0.6 IP address.

      I'm including the virt-launcher pod's logs.

            sbahar Shahaf Bahar
            rh-ee-awax Anat Wax
            Anat Wax Anat Wax
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: