Bug 2075548
| Summary: | Support AllocateLoadBalancerNodePorts=False with ETP=local, LGW mode | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Konstantinos <kkarampo> |
| Component: | Networking | Assignee: | Surya Seetharaman <surya> |
| Networking sub component: | ovn-kubernetes | QA Contact: | Arti Sood <asood> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | asood, ffernand, philipp.dallig, surya |
| Version: | 4.10 | Keywords: | Triaged |
| Target Milestone: | --- | ||
| Target Release: | 4.13.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-17 22:46:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is a known bug, and we haven't implemented the support for LB without NodePorts yet. It is being worked on. Will keep the bug updated. https://github.com/ovn-org/ovn-kubernetes/pull/3151 takes a first stab at doing this. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:1326 |
Description of problem: Service of type LoadBalancer (using metallb in BGP) is not working if the `allocateLoadBalancerNodePorts: false` and `externalTrafficPolicy: Local` Version-Release number of selected component (if applicable): ``` oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.6 True False 6d3h Cluster version is 4.10.6 ``` How reproducible: ``` --- apiVersion: v1 kind: Service metadata: name: nginx-localpolicy-nodeport namespace: metallb-system spec: allocateLoadBalancerNodePorts: true externalTrafficPolicy: Local internalTrafficPolicy: Local ports: - name: http port: 80 protocol: TCP targetPort: http selector: app: nginx type: LoadBalancer --- apiVersion: v1 kind: Service metadata: name: nginx-localpolicy namespace: metallb-system spec: allocateLoadBalancerNodePorts: false externalTrafficPolicy: Local internalTrafficPolicy: Local ports: - name: http port: 80 protocol: TCP targetPort: http selector: app: nginx type: LoadBalancer ``` Steps to Reproduce: 1. Apply the services in working metallb setup 2. Curl from an external to cluster client 3. Actual results: Service with NodePort works, Service without NodePort does not work Expected results: Additional info: I suspect that it is because ``` oc get svc nginx-localpolicy-nodeport NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-localpolicy-nodeport LoadBalancer 172.30.227.212 192.168.50.2 80:31274/TCP 54m ``` the node port is actually being used in a NAT rules that directs the packet into ovn ``` sh-4.4# iptables -t nat -nvL OVN-KUBE-EXTERNALIP Chain OVN-KUBE-EXTERNALIP (2 references) pkts bytes target prot opt in out source destination 2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.50.2 tcp dpt:80 to:169.254.169.3:31274 ```