Bug 2075548 - Support AllocateLoadBalancerNodePorts=False with ETP=local, LGW mode
Summary: Support AllocateLoadBalancerNodePorts=False with ETP=local, LGW mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.13.0
Assignee: Surya Seetharaman
QA Contact: Arti Sood
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-14 13:58 UTC by Konstantinos
Modified: 2023-05-17 22:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-17 22:46:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 1466 0 None open Bug 2075548: [DownstreamMerge] 09 Jan 2023 2023-01-10 10:10:32 UTC
Github ovn-org ovn-kubernetes pull 3151 0 None open Support AllocateLoadBalancerNodePorts=False with ETP=local, LGW mode 2022-09-08 11:14:01 UTC
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:47:39 UTC

Description Konstantinos 2022-04-14 13:58:30 UTC 
Description of problem:
Service of type LoadBalancer (using metallb in BGP) is not working if the `allocateLoadBalancerNodePorts: false` and  `externalTrafficPolicy: Local`


Version-Release number of selected component (if applicable):
```
oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.6    True        False         6d3h    Cluster version is 4.10.6
```

How reproducible:
```
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-localpolicy-nodeport
  namespace: metallb-system
spec:
  allocateLoadBalancerNodePorts: true
  externalTrafficPolicy: Local
  internalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
  selector:
    app: nginx
  type: LoadBalancer

---
apiVersion: v1
kind: Service
metadata:
  name: nginx-localpolicy
  namespace: metallb-system
spec:
  allocateLoadBalancerNodePorts: false
  externalTrafficPolicy: Local
  internalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
  selector:
    app: nginx
  type: LoadBalancer

```


Steps to Reproduce:
1. Apply the services in working metallb setup
2. Curl from an external to cluster client
3.

Actual results:
Service with NodePort works, Service without NodePort does not work

Expected results:


Additional info:
I suspect that it is because
```
oc get svc nginx-localpolicy-nodeport
NAME                         TYPE           CLUSTER-IP       EXTERNAL-IP    PORT(S)        AGE
nginx-localpolicy-nodeport   LoadBalancer   172.30.227.212   192.168.50.2   80:31274/TCP   54m
```

the node port is  actually being used in a NAT rules that directs the packet into ovn

```
sh-4.4# iptables -t nat -nvL OVN-KUBE-EXTERNALIP
Chain OVN-KUBE-EXTERNALIP (2 references)
 pkts bytes target     prot opt in     out     source               destination
    2   120 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.50.2         tcp dpt:80 to:169.254.169.3:31274
```
Comment 1 Surya Seetharaman 2022-04-19 07:32:45 UTC 
This is a known bug, and we haven't implemented the support for LB without NodePorts yet. It is being worked on. Will keep the bug updated.
Comment 3 Surya Seetharaman 2022-09-08 11:14:01 UTC 
https://github.com/ovn-org/ovn-kubernetes/pull/3151 takes a first stab at doing this.
Comment 10 errata-xmlrpc 2023-05-17 22:46:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:1326
Note You need to log in before you can comment on or make changes to this bug.