Description of problem: I have a customer using the ovn-kubernetes network provider and needs to use NodePort, but it doesn't work properly. Although externalTrafficPolicy is set to Local, it works as set to Cluster. Version-Release number of selected component (if applicable): 4.6 How reproducible: Always Steps to Reproduce: 1. Use the ovn-kubernetes network provider $ oc describe Network.config.openshift.io cluster ~~~ Status: Cluster Network: Cidr: 10.128.0.0/14 Host Prefix: 23 Cluster Network MTU: 8901 Network Type: OVNKubernetes Service Network: 172.30.0.0/16 Events: <none> 2. Prepare a Pod and a NodePort with externalTrafficPolicy is set to Local $ oc get po example -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES example 1/1 Running 0 9h 10.128.3.37 ip-10-0-133-223.ap-northeast-1.compute.internal <none> <none> $ oc describe svc example Name: example Namespace: shishika01 Labels: app=hello-openshift Annotations: <none> Selector: app=hello-openshift Type: NodePort IP: 172.30.72.177 Port: <unset> 8080/TCP TargetPort: 8080/TCP NodePort: <unset> 31488/TCP Endpoints: 10.128.3.37:8080 Session Affinity: None External Traffic Policy: Local <----- Events: <none> 3. Send request from another node $ oc debug node/ip-10-0-129-151.ap-northeast-1.compute.internal sh-4.4# curl ip-10-0-131-240.ap-northeast-1.compute.internal:31488 Hello OpenShift! sh-4.4# curl ip-10-0-189-124.ap-northeast-1.compute.internal:31488 Hello OpenShift! sh-4.4# curl ip-10-0-209-113.ap-northeast-1.compute.internal:31488 Hello OpenShift! Actual results: Can access from other nodes. Expected results: Can't access from other nodes. Additional info:
I was able to recreate this on a local kind cluster currently investigating a fix.
@astoycos if we don't already have an OVN bug for this, can you make one? and then add a link to that (or an existing bug) as a dependency here?
ACK Just added the RFE
Upstream PR for the feature -> https://github.com/ovn-org/ovn-kubernetes/pull/2136
Verified this bug on 4.10.0-0.nightly-2021-09-17-190348 $ oc get svc -n z1 NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE hello-pod NodePort 172.30.110.103 <none> 27017:31999/TCP 5h5m $ oc get pod -n z1 -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES hello-pod 1/1 Running 0 5h7m 10.128.2.31 ip-10-0-215-31.us-east-2.compute.internal <none> <none> $ oc debug node/ip-10-0-142-22.us-east-2.compute.internal W0918 21:44:28.556373 32479 warnings.go:70] would violate "latest" version of "baseline" PodSecurity profile: host namespaces (hostNetwork=true, hostPID=true), hostPath volumes (volume "host"), privileged (container "container-00" must not set securityContext.privileged=true) Starting pod/ip-10-0-142-22us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.142.22 If you don't see a command prompt, try pressing enter. sh-4.4# chroot /host sh-4.4# curl ip-10-0-159-11.us-east-2.compute.internal:31999 curl: (7) Failed to connect to ip-10-0-159-11.us-east-2.compute.internal port 31999: Connection refused sh-4.4# curl ip-10-0-182-179.us-east-2.compute.internal:31999 curl: (7) Failed to connect to ip-10-0-182-179.us-east-2.compute.internal port 31999: Connection refused sh-4.4# curl ip-10-0-215-31.us-east-2.compute.internal:31999 Hello OpenShift! sh-4.4#
Will that be backported to earlier release like 4.7+ ? If not how on OVN we can achieve similar result NodePort externalTrafficPolicy=Local so it would preserve source IP ?
Surya let me know that this BZ lifts a limitation that was added to the 4.9 and earlier release versions of the docs. This PR is for 4.10 and removes the limitation: https://github.com/openshift/openshift-docs/pull/40824 Please review by Jan 21 PM Eastern.
*** Bug 2039971 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056