Description of problem: Source pod ip is not preserved when contacting a cluster ip service due to docker adding a masquerade rule. that masqs all packets with a source IP coming from the OpenShift SDN on the node. Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 38774 2326K MASQUERADE all -- * !lbr0 10.1.1.0/24 0.0.0.0/0 This issue was addressed for the kubernetes network plugins [0][1] but still exists for the OpenShift Plugins. [0] https://github.com/kubernetes/kubernetes/pull/27132 [1] https://github.com/kubernetes/kubernetes/issues/27110
This requires an enhancement. It is not as simple as changing the masquerade rules as upstream did because we enforce pod isolation. I have created a trello card to track the feature request (linked above).
Unfortunately, while we have some ideas for how this might be achieved, they are all dependent on other work that is unlikely to land soon. So, while we would love to land this feature, it's just not technically possible within the next six months. So I'm closing this WONTFIX, but we will work towards it when it is possible.
We are not going to add it to the mutli-tenant networking plugin... BUT. The good news is that the network policy plugin already supports this feature.
This bug has been identified as a dated (created more than 3 months ago) bug. This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, as it is currently not part of the products immediate priorities. Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.