Bug 1411969 - Source pod ip is not preserved when contacting a cluster ip service
Summary: Source pod ip is not preserved when contacting a cluster ip service
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.3.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Marc Curry
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-10 21:32 UTC by Ryan Howe
Modified: 2018-03-12 13:54 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-12 13:54:36 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Origin (Github) 11042 None None None 2017-01-27 18:12:07 UTC

Description Ryan Howe 2017-01-10 21:32:50 UTC
Description of problem:

Source pod ip is not preserved when contacting a cluster ip service due to docker adding a masquerade rule. that masqs all packets with a source IP coming from the OpenShift SDN on the node. 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
38774 2326K MASQUERADE  all  --  *      !lbr0   10.1.1.0/24          0.0.0.0/0   

This issue was addressed for the kubernetes network plugins [0][1] but still exists for the OpenShift Plugins. 

[0] https://github.com/kubernetes/kubernetes/pull/27132
[1] https://github.com/kubernetes/kubernetes/issues/27110

Comment 3 Ben Bennett 2017-01-27 18:16:23 UTC
This requires an enhancement.  It is not as simple as changing the masquerade rules as upstream did because we enforce pod isolation.  I have created a trello card to track the feature request (linked above).

Comment 4 Ben Bennett 2017-03-14 17:19:21 UTC
Unfortunately, while we have some ideas for how this might be achieved, they are all dependent on other work that is unlikely to land soon.

So, while we would love to land this feature, it's just not technically possible within the next six months.  So I'm closing this WONTFIX, but we will work towards it when it is possible.

Comment 8 Ben Bennett 2018-01-08 19:09:52 UTC
We are not going to add it to the mutli-tenant networking plugin... BUT.  The good news is that the network policy plugin already supports this feature.

Comment 9 Eric Rich 2018-03-12 13:54:36 UTC
This bug has been identified as a dated (created more than 3 months ago) bug. 
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, 
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. 

As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, 
as it is currently not part of the products immediate priorities.

Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.


Note You need to log in before you can comment on or make changes to this bug.