ssl-passthrough breaks with RBAC

[Spindel]

NGINX Ingress controller version:
quay.io/aledbf/nginx-ingress-controller:0.271

Kubernetes version (use kubectl version):

Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.2+coreos.0", GitCommit:"4c0769e81ab01f47eec6f34d7f1bb80873ae5c2b", GitTreeState:"clean", BuildDate:"2017-10-25T16:24:46Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

CoreOS , On Premise installation,

• Cloud provider or hardware configuration:

IPv6 + ipv4, nginx ingress running in DaemonSet mode to act as frontend.

• OS (e.g. from /etc/os-release):

NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1520.8.0
VERSION_ID=1520.8.0
BUILD_ID=2017-10-26-0342
PRETTY_NAME="Container Linux by CoreOS 1520.8.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

• Kernel (e.g. uname -a):
  Linux coreos05.kub.modio.se 4.13.9-coreos Basic structure  #1 SMP Thu Oct 26 03:21:00 UTC 2017 x86_64 Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz GenuineIntel GNU/Linux

• Install tools:
  Ansible

• Others:

deployed with RBAC role from https://github.com/kubernetes/ingress-nginx/blob/master/deploy/rbac.yaml

What happened:

When disabling "AlwaysAllow" with rbac, containers started After that moment fail to get packets sent to them.

$ curl --tlsv1.2  -vvk  https://api.molom.modio.se
* Rebuilt URL to: https://api.molom.modio.se/
*   Trying 2a0a:8e40:0:154::5...
* TCP_NODELAY set
* Connected to api.molom.modio.se (2a0a:8e40:0:154::5) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* stopped the pause stream!
* Closing connection 0
curl: (35) Encountered end of file

What you expected to happen:
I expected the traffic from ssl passthrough to arrive properly

How to reproduce it (as minimally and precisely as possible):

1. Turn on RBAC + Always Alllow in the cluster
2. Set up SSL passthrough
3. Test that it works
4. Remove AlwaysAllow & restart apiserver
5. restart TLS using pods
6. Failure

Anything else we need to know:

[dubuc]

Also experiencing this with ACS-Engine K8s 1.8.4 with RBAC enabled.

[dubuc]

@Spindel Rebuilding master fixes the issue for me in RBAC. #1870

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close