OCP4 - Unexpected 403 forbidden error intermittently on all routes when Big-IP (F5) OneConnect feature is enabled

Solution Verified - Updated -

Issue

  • When curling any route in your cluster, there is an intermittent error code 403 returned by your application unexpectedly.
  • Test routes like https://canary-openshift-ingress-canary.apps.yourcluster.yourdomain (oc get route -n openshift-ingress-canary) - return a 403 permission denied response.
  • Error message: forbidden: User \"system:anonymous\" cannot get path \"/\"" is observed intermittently when curling routes or visiting publicly accessible addresses hosted on OpenShift
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}

Environment

  • Red Hat OpenShift Container Platform (RHOCP) 4.x
  • Big-IP F5 loadbalancer is in use for the platform

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content