Make the ingress operator hostNetwork

[danwinship]

We're considering blocking access from the pod network to the AWS metadata IP by default. Even if we don't do it in openshift-sdn, there may be other network plugins that implement this behavior. (The 169.254.0.0/16 range is supposed to be "link-local", so it's technically incorrect to route traffic for 169.254.169.254 from br0 to eth0.) So this makes the ingress operator run as hostNetwork. (As seen in openshift/origin#22826, the ingress operator is currently the only OpenShift pod that tries to reach the metadata IP from the pod network.)

It's possible that it depends on being non-hostNetwork in some way in which case this will totally break things? Let's see what e2e-aws says...

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: danwinship
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: ironcladlou

If they are not already assigned, you can assign the PR to them by writing /assign @ironcladlou in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[danwinship]

We may want this to go in for 4.1 so it would be good to know if @openshift/sig-network-edge thinks there are any reasons not to

[ironcladlou]

Would really rather get the AWS region from cluster config (openshift/installer#1725) than switch to hostNetwork given the only use case is to get the AWS region...

[danwinship]

That makes sense

[cgwalters]

The other option is for the host to gather this (we already need to query it) and drop it in a file you can mount in and read. Though a downside of this is that mounting a host path would require privileges.

[danwinship]

Feel free to close this PR and replace it with an issue / bug / jira card for no longer using the metadata IP.

[danwinship]

Feel free to close this PR and replace it with an issue / bug / jira card for no longer using the metadata IP.

but @knobunc says we definitely want to block access to the metadata API for 4.1, so ingress is going to need some fix

[ironcladlou]

What if we go back to the deprecated kube-system/cluster-config-v1 ConfigMap for region pending openshift/installer#1725?

[ironcladlou]

See #238 for an alternative.

[ironcladlou]

Replaced by #238 which is less risky.
/close

[openshift-ci-robot]

@ironcladlou: Closed this PR.

Details

In response to this:

Replaced by #238 which is less risky.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.