Bug 2025467

Summary: [OVN-K][ETP=local] Host to service backed by ovn pods doesn't work for ExternalTrafficPolicy=local
Product: OpenShift Container Platform Reporter: Surya Seetharaman <surya>
Component: NetworkingAssignee: Surya Seetharaman <surya>
Networking sub component: ovn-kubernetes QA Contact: Anurag saxena <anusaxen>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: high    
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:29:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Surya Seetharaman 2021-11-22 10:07:36 UTC
Description of problem:

Current traffic flow for ETP=local for host1->svc(host1IP:NP)->ovn-k pod:

1) traffic from host gets DNAT-ed to clusterIP svc using iptables
2) traffic sent to br-ex
3) hits the GR load balancer
4) gets DNAT-ed to the backend pods,
5) depending on if this is on the same node or a different one, we'll have packet delivered to the pod if its on the same node, or it passes via geneve tunnel to the destination node where the pod lives.

This neither retains the sourceIP nor respects the ETP=local. 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. create a nodeport service with ETP=local
2. docker exec -it ovn-worker bash
3. curl ovn-workerIP:nodePort

Actual results:
It hits any backend pod i.e its treated like ETP=cluster


Expected results:
Should only hit local node pod i.e treat it like ETP=local


Additional info:

Comment 1 Surya Seetharaman 2022-01-04 11:39:37 UTC
Opened upstream fix: https://github.com/ovn-org/ovn-kubernetes/pull/2737

Comment 8 errata-xmlrpc 2022-03-10 16:29:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056