Bug 1726045

Summary: cannot access to the service's externalIP with egressIP in openshift-ovs-multitenant environment
Product: OpenShift Container Platform Reporter: Min Woo Park <mpark>
Component: NetworkingAssignee: Casey Callendrello <cdc>
Networking sub component: openshift-sdn QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: anusaxen, aos-bugs, zzhao
Version: 3.11.0   
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1733429 1737386 (view as bug list) Environment:
Last Closed: 2019-10-16 06:32:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1733429, 1737386    

Comment 6 zhaozhanqi 2019-07-02 08:15:12 UTC 
@weibin
Could you help this bug if can be reproduced? thanks.
Comment 7 Min Woo Park 2019-07-04 06:00:25 UTC 
Hi,

Any update for this?
Comment 18 Casey Callendrello 2019-07-13 00:09:24 UTC 
OK, should have a fix for this. Wound up being easier than I thought.

master pr: https://github.com/openshift/origin/pull/23373
Comment 19 Casey Callendrello 2019-07-24 12:48:56 UTC 
Master PR: https://github.com/openshift/sdn/pull/13

Will file backport PRs once this is VERIFIED.
Comment 21 zhaozhanqi 2019-07-25 07:22:25 UTC 
hi, Casey

in 4.2. when I create service with 'externalip', it shows error "Forbidden: externalIPs have been disabled".

I edit the 'networks.config.openshift.io' to add 'AllowedCIDRs: 10.73.0.0/14', see:

spec:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  externalIP:
    policy:
      AllowedCIDRs: 10.73.0.0/14
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16

how to make the 'AllowedCIDRs: 10.73.0.0/14' take effect after I updated this?
Comment 22 Casey Callendrello 2019-07-25 11:56:53 UTC 
I answered this in chat as well, but capturing this here: allowedCIDRs needs to be lowercase-A and is an array. So it should look like
spec:
  externalIP:
    policy:
      allowedCIDRs:
      - 10.73.0.0/14
Comment 24 Casey Callendrello 2019-07-26 14:28:06 UTC 
Ah, interesting. It will work on freshly rebooted nodes. Looks like we need to clean up the old rule as well.
Comment 25 Casey Callendrello 2019-07-29 12:05:11 UTC 
New PR merged, please re-QE: https://github.com/openshift/sdn/pull/17
Comment 28 errata-xmlrpc 2019-10-16 06:32:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922