Document URL: https://docs.openshift.com/container-platform/3.3/admin_guide/managing_pods.html#admin-guide-limit-pod-access-egress-router Section Number and Name: Limiting Pod Access with an Egress Router Describe the issue: If a cloud provider or visualization platform does allow outbound requests on the default gateway from "MAC/IP" combinations that are not directly mapped to what the hypervisor defined, you will see this issue, because the "hypervisor router or switch" will reject traffic from these interfaces. Most (or all) cloud providers / visualization platforms implement some form of MAC filter on at the networking layer. This restriction/configuration make it impossible for you to use the egress router functionality because traffic leaving the egress router simply gets dropped by the cloud provider or visualization platform because (like stated above) it is not coming from the defined IP/MAC that the guest VM was created with. Suggestions for improvement: Improve the warning (that right now is openstack specific), to ensure that MAC filtering is disable. For RHEV this would mean turning off options like: >> set EnableMACAntiSpoofingFilterRules to false >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Administration_Guide/Red_Hat_Enterprise_Virtualization_Manager_configuration_options_explanations_limitations_and_best_practices.html For vmware this would mean following something like: http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/com.vmware.vsphere.esxi_server_config.doc_40_u1/esx_server_config/securing_an_esx_configuration/c_securing_virtual_switch_ports.html >> The following shows that this filtering happens by default: >> http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/com.vmware.vsphere.esxi_server_config.doc_40_u1/esx_server_config/securing_an_esx_configuration/c_forged_transmissions.html For OpenSTack this would mean configuring: >> https://access.redhat.com/solutions/2803331 This is already provided in the explanation (warning today). Additional information:
Work in progress: https://github.com/openshift/openshift-docs/pull/3641
The doc looks good. Verify the bug.
Commits pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/dcfccff4a089150ad1f7957bb9d045fc158db8ee Bug 1412827, Added more information about disabling MAC filtering for the Egress Router https://github.com/openshift/openshift-docs/commit/97af5a379c51dd3159e4c9aa027bd69f643c1663 Merge pull request #3641 from ahardin-rh/mac-filtering Bug 1412827, Added more information about disabling MAC filtering for the Egress Router
Content is now published: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.4/html/cluster_administration/admin-guide-manage-pods#admin-guide-limit-pod-access-egress-router