Bug 1963846 - Problem in trying to connect through the service to a member that is the same as the caller.
Summary: Problem in trying to connect through the service to a member that is the same...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.6.z
Assignee: Michał Dulko
QA Contact: Itzik Brown
URL:
Whiteboard:
Depends On: 1959766
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-24 07:52 UTC by Michał Dulko
Modified: 2021-06-08 13:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: For hairpin traffic (traffic originating in a member of a Service, redirected by the load balancer to the same member) OVN changes the source-IP of the packets to IP of the LB. This affects OSPs with ovn-octavia-provider. Consequence: If Network Policy is applied it may happen that such traffic will be unnecessarily blocked. Fix: Kuryr, when handling a Network Policy will also open traffic from IPs of all the Services in the NP's namespace. Result: Hairpin traffic will be allowed in OSP deployments using ovn-octavia-provider.
Clone Of: 1959766
Environment:
Last Closed: 2021-06-08 13:54:23 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kuryr-kubernetes pull 518 0 None open Bug 1963846: Fix NPs for OVN LBs with hairpin traffic 2021-05-24 07:55:08 UTC
Red Hat Product Errata RHBA-2021:2157 0 None None None 2021-06-08 13:54:35 UTC

Comment 5 Itzik Brown 2021-06-02 10:55:05 UTC
Kuryr tempest plugin passed kuryr_tempest_plugin.tests.scenario.test_network_policy.NetworkPolicyScenario.test_network_policy_hairpin_traffic passed

OCP 4.6.0-0.nightly-2021-05-27-163935
OSP16.1 RHOS-16.1-RHEL-8-20210506.n.1

Comment 7 errata-xmlrpc 2021-06-08 13:54:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.32 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2157


Note You need to log in before you can comment on or make changes to this bug.