Bug 1903408 - NodePort externalTrafficPolicy does not work for ovn-kubernetes
Summary: NodePort externalTrafficPolicy does not work for ovn-kubernetes
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.10.0
Assignee: Andrew Stoycos
QA Contact: Anurag saxena
: 2039971 (view as bug list)
Depends On: 1927540
Blocks: 2060542 2079517
TreeView+ depends on / blocked
Reported: 2020-12-02 02:41 UTC by shishika
Modified: 2022-04-27 16:31 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2022-03-10 16:02:33 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 663 0 None None None 2021-08-17 20:36:17 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:02:50 UTC

Description shishika 2020-12-02 02:41:20 UTC
Description of problem:

I have a customer using the ovn-kubernetes network provider and needs to use NodePort, but it doesn't work properly.

Although externalTrafficPolicy is set to Local, it works as set to Cluster.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

1. Use the ovn-kubernetes network provider 

$ oc describe Network.config.openshift.io cluster 
  Cluster Network:
    Host Prefix:        23
  Cluster Network MTU:  8901
  Network Type:         OVNKubernetes
  Service Network:
Events:  <none>

2. Prepare a Pod and a NodePort with externalTrafficPolicy is set to Local

$ oc get po example -o wide
NAME      READY   STATUS    RESTARTS   AGE   IP            NODE                                              NOMINATED NODE   READINESS GATES
example   1/1     Running   0          9h   ip-10-0-133-223.ap-northeast-1.compute.internal   <none>           <none>

$ oc describe svc example
Name:                     example
Namespace:                shishika01
Labels:                   app=hello-openshift
Annotations:              <none>
Selector:                 app=hello-openshift
Type:                     NodePort
Port:                     <unset>  8080/TCP
TargetPort:               8080/TCP
NodePort:                 <unset>  31488/TCP
Session Affinity:         None
External Traffic Policy:  Local <-----
Events:                   <none>

3. Send request from another node

$ oc debug node/ip-10-0-129-151.ap-northeast-1.compute.internal
sh-4.4# curl ip-10-0-131-240.ap-northeast-1.compute.internal:31488
Hello OpenShift!
sh-4.4# curl ip-10-0-189-124.ap-northeast-1.compute.internal:31488
Hello OpenShift!
sh-4.4# curl ip-10-0-209-113.ap-northeast-1.compute.internal:31488
Hello OpenShift!

Actual results:
Can access from other nodes.

Expected results:
Can't access from other nodes.

Additional info:

Comment 3 Andrew Stoycos 2020-12-22 17:33:35 UTC
I was able to recreate this on a local kind cluster currently investigating a fix.

Comment 6 Dan Williams 2021-03-25 18:13:58 UTC
@astoycos if we don't already have an OVN bug for this, can you make one? and then add a link to that (or an existing bug) as a dependency here?

Comment 7 Andrew Stoycos 2021-03-25 18:29:45 UTC
ACK Just added the RFE

Comment 8 Andrew Stoycos 2021-04-01 19:46:50 UTC
Upstream PR for the feature -> https://github.com/ovn-org/ovn-kubernetes/pull/2136

Comment 12 zhaozhanqi 2021-09-18 13:46:54 UTC
Verified this bug on 4.10.0-0.nightly-2021-09-17-190348

$ oc get svc -n z1
NAME        TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)           AGE
hello-pod   NodePort   <none>        27017:31999/TCP   5h5m

$ oc get pod -n z1 -o wide
NAME        READY   STATUS    RESTARTS   AGE    IP            NODE                                        NOMINATED NODE   READINESS GATES
hello-pod   1/1     Running   0          5h7m   ip-10-0-215-31.us-east-2.compute.internal   <none>           <none>

$ oc debug node/ip-10-0-142-22.us-east-2.compute.internal
W0918 21:44:28.556373   32479 warnings.go:70] would violate "latest" version of "baseline" PodSecurity profile: host namespaces (hostNetwork=true, hostPID=true), hostPath volumes (volume "host"), privileged (container "container-00" must not set securityContext.privileged=true)
Starting pod/ip-10-0-142-22us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP:
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host

sh-4.4# curl ip-10-0-159-11.us-east-2.compute.internal:31999
curl: (7) Failed to connect to ip-10-0-159-11.us-east-2.compute.internal port 31999: Connection refused
sh-4.4# curl ip-10-0-182-179.us-east-2.compute.internal:31999
curl: (7) Failed to connect to ip-10-0-182-179.us-east-2.compute.internal port 31999: Connection refused
sh-4.4# curl ip-10-0-215-31.us-east-2.compute.internal:31999
Hello OpenShift!

Comment 15 msi_bacalm 2022-01-03 20:43:06 UTC
Will that be backported to earlier release like 4.7+ ?

If not how on OVN we can achieve similar result  NodePort externalTrafficPolicy=Local so it would preserve source IP ?

Comment 17 Mike McKiernan 2022-01-20 16:15:05 UTC
Surya let me know that this BZ lifts a limitation that was added to the 4.9 and earlier release versions of the docs.

This PR is for 4.10 and removes the limitation:


Please review by Jan 21 PM Eastern.

Comment 23 Mohamed Mahmoud 2022-02-17 16:17:09 UTC
*** Bug 2039971 has been marked as a duplicate of this bug. ***

Comment 25 errata-xmlrpc 2022-03-10 16:02:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.