Bug 1959766 - Problem in trying to connect through the service to a member that is the same as the caller.
Summary: Problem in trying to connect through the service to a member that is the same...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.7.z
Assignee: Michał Dulko
QA Contact: Itzik Brown
URL:
Whiteboard:
Depends On: 1920532
Blocks: 1963846
TreeView+ depends on / blocked
 
Reported: 2021-05-12 10:17 UTC by OpenShift BugZilla Robot
Modified: 2021-06-01 10:51 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: For hairpin traffic (traffic originating in a member of a Service, redirected by the load balancer to the same member) OVN changes the source-IP of the packets to IP of the LB. This affects OSPs with ovn-octavia-provider. Consequence: If Network Policy is applied it may happen that such traffic will be unnecessarily blocked. Fix: Kuryr, when handling a Network Policy will also open traffic from IPs of all the Services in the NP's namespace. Result: Hairpin traffic will be allowed in OSP deployments using ovn-octavia-provider.
Clone Of:
: 1963846 (view as bug list)
Environment:
Last Closed: 2021-05-24 17:15:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 516 0 None open [release-4.7] Bug 1959766: Fix NPs for OVN LBs with hairpin traffic 2021-05-12 10:18:16 UTC
Red Hat Product Errata RHSA-2021:1561 0 None None None 2021-05-24 17:15:28 UTC

Comment 3 Itzik Brown 2021-05-23 06:27:38 UTC
Kuryr tempest plugin test - test_network_policy_hairpin_traffic passed
OCP 4.7.0-0.nightly-2021-05-15-175435
OSP RHOS-16.1-RHEL-8-20210323.n.0

Comment 5 errata-xmlrpc 2021-05-24 17:15:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.12 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1561


Note You need to log in before you can comment on or make changes to this bug.