Description of problem: We used to have a bug for ovn egressip https://bugzilla.redhat.com/show_bug.cgi?id=2002657 and got fixed with PR https://github.com/ovn-org/ovn-kubernetes/pull/2495 From PR's comments, ovn-k is using the ip address assigned to ovn-k8s-mp0 as the live detection ip for EgressIP. Following the verification steps in above bug, it didn't work in AWS OVN cluster. Version-Release number of selected component (if applicable): 4.10.0-0.ci-2021-12-19-184945 How reproducible: Always Steps to Reproduce: 1. Tag one node as egress node ip-10-0-73-231.us-east-2.compute.internal 2. Create one egressip object oc get egressip NAME EGRESSIPS ASSIGNED NODE ASSIGNED EGRESSIPS egressip1 10.0.73.235 ip-10-0-73-231.us-east-2.compute.internal 10.0.73.235 3. In node ip-10-0-73-231.us-east-2.compute.internal, add one iptable rule iptables -A INPUT -i ovn-k8s-mp0 -p tcp --destination-port 9 -j DROP oc debug node/ip-10-0-73-231.us-east-2.compute.internal Starting pod/ip-10-0-73-231us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.73.231 If you don't see a command prompt, try pressing enter. sh-4.4# chroot /host sh-4.4# sh-4.4# iptables -L INPUT --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 KUBE-FIREWALL all -- anywhere anywhere sh-4.4# sh-4.4# iptables -L INPUT --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 KUBE-FIREWALL all -- anywhere anywhere sh-4.4# iptables -A INPUT -i ovn-k8s-mp0 -p tcp --destination-port 9 -j DROP sh-4.4# iptables -L INPUT --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 KUBE-FIREWALL all -- anywhere anywhere 2 DROP tcp -- anywhere anywhere tcp dpt:discard 4. Check egressip object Actual results: The controller didn't detect the failure, the EgressIP was still assigned to that node. $ oc get egressip NAME EGRESSIPS ASSIGNED NODE ASSIGNED EGRESSIPS egressip1 10.0.73.235 ip-10-0-73-231.us-east-2.compute.internal 10.0.73.235 Expected results: The controller should detect the failure, and reassign the egressip. Additional info:
*** Bug 2038840 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056