Description of problem: After removed the assigned egressIP to netnamespace, the pods in the project will still using the egressIP to reach the outside network. Version-Release number of selected component (if applicable): v3.9.0-0.34.0 openvswitch 2.7.3 How reproducible: always Steps to Reproduce: 1. Setup multi node env 2. Create project and have pods in it 3. Add an egressIP to the hostsubnet of any node 4. Add the above egressIP to the project's netnamespace 5. Try to access outside from the pods 6. Remove the egressIP from the netnamespace 7. Try to access outside from the pods 8. Remove the egressIP from the hostsubnet 9. Try to access outside from the pods Actual results: 5. The pods will reach outside with the egressIP as source IP. 7. The pods will still reach outside with the egressIP as source IP. 9. The pods will lose outside connection. Expected results: 7. The pods should use the landed node IP as the source IP. 9. The pods should be able to access outside network. Additional info: Related openflow rules attached. Pod info: $ oc get po -o wide NAME READY STATUS RESTARTS AGE IP NODE test-rc-6ck6c 1/1 Running 0 47m 10.128.0.38 ose-node1.bmeng.local test-rc-dpns6 1/1 Running 0 47m 10.128.2.196 ose-node2.bmeng.local Node info: $ oc get po -o wide NAME READY STATUS RESTARTS AGE IP NODE test-rc-6ck6c 1/1 Running 0 47m 10.128.0.38 ose-node1.bmeng.local test-rc-dpns6 1/1 Running 0 47m 10.128.2.196 ose-node2.bmeng.local Project info: # oc get netnamespace NAME NETID EGRESS IPS bmengpp 3031874 [] default 0 [] kube-public 13569059 [] kube-system 4330111 [] openshift 721723 [] openshift-infra 8764350 [] openshift-node 13969432 [] Egress IP is 10.66.140.100 for testing.
Created attachment 1389347 [details] openflow_before_egressIP_added
Created attachment 1389348 [details] openflow_after_egressIP_added
Created attachment 1389349 [details] openflow_after_egressIP_removed_from_netnamespace
Created attachment 1389350 [details] openflow_after_egressIP_removed_from_hostsubnet
https://github.com/openshift/origin/pull/18393
Checked on OCP v3.9.0-0.47.0 The egress IP will not take effect after it was removed from netnamespace.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0489