Bug 1891515
| Summary: | OVN-Kubernetes - egress IP not working on Azure | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | acossett |
| Component: | Documentation | Assignee: | Jason Boxman <jboxman> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Xiaoli Tian <xtian> |
| Severity: | urgent | Docs Contact: | Vikram Goyal <vigoyal> |
| Priority: | unspecified | ||
| Version: | 4.6.z | CC: | aconstan, acossett, aos-bugs, avishnoi, jokerman |
| Target Milestone: | --- | ||
| Target Release: | 4.7.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-23 20:45:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
acossett
2020-10-26 13:59:43 UTC
Assigning to doc team to update the documentation @Jason: when I wrote: https://github.com/openshift/openshift-docs/pull/25126#issuecomment-705768076 I didn't mean to say that we should add that to the doc (my fault for missing that in the code review) Egress IP is completely unsupported and has never been tested on any other provider but bare metal. Thus, for what concerns this section: https://docs.okd.io/latest/networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.html#nw-egress-ips-platform-support_configuring-egress-ips-ovn I think we should either mention that specifically, or remove that section entirely so that customers don't get the impression that it is. Alternatively you could apply the same "note" as done here: https://docs.openshift.com/container-platform/3.11/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress-router /Alexander Moreover, I just want to mention that: egress IP on Azure, GCP or AWS does not make any sense. Ingress/Egress traffic on all of these cloud platform goes in/out their load balancers / NAT gateway. This means that the core functionality of egress IP will never work on any of these platforms, even if you would correctly assign an additional IP to the VM's NIC and have that working with OpenShift and RHCOS (which obviously isn't the case today). The point of egress IP is for customers to clearly identify traffic originating from a set of pods/namespaces. Given that most cloud providers use cloud LBs, means that: traffic originating from Azure (for example) would hit the customer's network with the source IP being the public IP associated with Azure's LB, not the egress IP assigned to the node in that Azure cluster. This is why egress IP, as implemented by openshift-sdn and ovn-kubernetes, has been a feature intended for bare metal clusters. This might come to change in the future, but that would require some re-thinking in terms of how networking is configured for OpenShift on GCP/AWS/Azure/and the likes - which is something which has not been done until now. /Alex (In reply to Alexander Constantinescu from comment #2) > Moreover, I just want to mention that: egress IP on Azure, GCP or AWS does > not make any sense. > > Ingress/Egress traffic on all of these cloud platform goes in/out their load > balancers / NAT gateway. This means that the core functionality of egress IP > will never work on any of these platforms, even if you would correctly > assign an additional IP to the VM's NIC and have that working with OpenShift > and RHCOS (which obviously isn't the case today). > > The point of egress IP is for customers to clearly identify traffic > originating from a set of pods/namespaces. Given that most cloud providers > use cloud LBs, means that: traffic originating from Azure (for example) > would hit the customer's network with the source IP being the public IP > associated with Azure's LB, not the egress IP assigned to the node in that > Azure cluster. > > This is why egress IP, as implemented by openshift-sdn and ovn-kubernetes, > has been a feature intended for bare metal clusters. > > This might come to change in the future, but that would require some > re-thinking in terms of how networking is configured for OpenShift on > GCP/AWS/Azure/and the likes - which is something which has not been done > until now. > > /Alex This need to be rethink, the solution work in the cloud, and the LB is not the only outgoing traffic type. Customer needs to identify the application per source IP even in the cloud (not only on BM on prem). vnet1 -> other vnet, vnet to gateway etc. For now the solution works as manual egress IP like in OVS, but documentation is missing a step for ovn or its unclear because the egress ip example with the namespace refer to a label and not the namespace name. OVS -- With Cloud https://docs.openshift.com/container-platform/4.5/networking/openshift_sdn/assigning-egress-ips.html#considerations-manual-egress-ips OVN -- With Cloud https://docs.okd.io/latest/networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.html For this issue/confusion, I suggest we update the documentation example
1. Step label namespace or pod or else to match the example selector (oc label namespace myproject name=namespace1)
namespaceSelector:
matchLabels:
name: namespace1
2. Create the egressIP with previously created labels
apiVersion: k8s.ovn.org/v1
kind: EgressIP
metadata:
name: egressips
spec:
egressIPs:
- 192.168.126.10
- 192.168.126.102
namespaceSelector:
matchLabels:
name: namespace1
status:
assignments:
- node: node1
egressIP: 192.168.126.10
- node: node3
egressIP: 192.168.126.102
I'm confused as to what the suggested documentation update is and where it belongs in the documentation. Can you elaborate on your example? Thanks! So I've created the following PR to clarify platform support: https://github.com/openshift/openshift-docs/pull/26718 |