2048841 – [ovn] Missing lr-policy-list and snat rules for egressip when new pods are added

Bug 2048841 - [ovn] Missing lr-policy-list and snat rules for egressip when new pods are added

Summary: [ovn] Missing lr-policy-list and snat rules for egressip when new pods are added

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	4.11.0
Assignee:	Patryk Diak
QA Contact:	huirwang
Docs Contact:
URL:
Whiteboard:
Depends On:	2029742
Blocks:	2054767
TreeView+	depends on / blocked

Reported:	2022-02-01 00:05 UTC by ffernand
Modified:	2022-08-10 10:46 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2054767 (view as bug list)
Environment:
Last Closed:	2022-08-10 10:45:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift ovn-kubernetes pull 947/commits/8081e22f062635e088641fe2aad92f8600e0c902	None	None	None	2022-02-15 16:44:05 UTC
Github	ovn-org ovn-kubernetes pull 2783	None	open	Fix cache building used for removing stale egress IPs	2022-02-01 11:20:30 UTC
Red Hat Product Errata	RHSA-2022:5069	None	None	None	2022-08-10 10:46:06 UTC

Description ffernand 2022-02-01 00:05:22 UTC

This is a follow up from bug 2029742.

When new pods that are expected to have egressip nat and lrpolicies are
created while ovn-k master is down, they remain missing, even after
ovn-k8 is started.

Steps to Reproduce:
1. Label one node as egress node
2. Create egressip object
 oc get egressip -o yaml
....
  spec:
    egressIPs:
    - 172.31.249.117
    namespaceSelector:
      matchLabels:
        org: pm
    podSelector: {}
  status:
    items:
    - egressIP: 172.31.249.117
      node: compute-0
....
3. Create ns ds36l and 10 pods in it, label org=pm  to the namespace
4. scale the CNO to 0 
 oc scale deployment network-operator -n openshift-network-operator --replicas 0
5.Delete ovnkube-master ds
Scale test pods replicas to 20
6. scale the CNO to 1
oc scale deployment network-operator -n openshift-network-operator --replicas 1
deployment.apps/network-operator scaled

7. Check  lr-policy-list and snat
 ovn-nbctl lr-policy-list ovn_cluster_router | grep "100 "

8. Nat rules are also not correct. They should have been added for the new
pods that were started while ovn-k8 was down. 

sh-4.4# ovn-nbctl --format=csv --no-heading find nat external_ids:name=egressip

Actual results:
lr-policy-list  and snat rules are not added for the new pod instances.


Expected results:
No stale lr-policy-list  and snat rules, and accounting for the all the ones running.

Comment 1 Patryk Diak 2022-02-15 16:24:22 UTC

Fixed in https://github.com/openshift/ovn-kubernetes/pull/947/commits/0a2fee424ec84a4af3a47af47d8554d2b04fcb0c

Comment 5 errata-xmlrpc 2022-08-10 10:45:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069

Note You need to log in before you can comment on or make changes to this bug.