Description of problem: Service of type LoadBalancer (using metallb in BGP) is not working if the `allocateLoadBalancerNodePorts: false` and `externalTrafficPolicy: Local` Version-Release number of selected component (if applicable): ``` oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.6 True False 6d3h Cluster version is 4.10.6 ``` How reproducible: ``` --- apiVersion: v1 kind: Service metadata: name: nginx-localpolicy-nodeport namespace: metallb-system spec: allocateLoadBalancerNodePorts: true externalTrafficPolicy: Local internalTrafficPolicy: Local ports: - name: http port: 80 protocol: TCP targetPort: http selector: app: nginx type: LoadBalancer --- apiVersion: v1 kind: Service metadata: name: nginx-localpolicy namespace: metallb-system spec: allocateLoadBalancerNodePorts: false externalTrafficPolicy: Local internalTrafficPolicy: Local ports: - name: http port: 80 protocol: TCP targetPort: http selector: app: nginx type: LoadBalancer ``` Steps to Reproduce: 1. Apply the services in working metallb setup 2. Curl from an external to cluster client 3. Actual results: Service with NodePort works, Service without NodePort does not work Expected results: Additional info: I suspect that it is because ``` oc get svc nginx-localpolicy-nodeport NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-localpolicy-nodeport LoadBalancer 172.30.227.212 192.168.50.2 80:31274/TCP 54m ``` the node port is actually being used in a NAT rules that directs the packet into ovn ``` sh-4.4# iptables -t nat -nvL OVN-KUBE-EXTERNALIP Chain OVN-KUBE-EXTERNALIP (2 references) pkts bytes target prot opt in out source destination 2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.50.2 tcp dpt:80 to:169.254.169.3:31274 ```
This is a known bug, and we haven't implemented the support for LB without NodePorts yet. It is being worked on. Will keep the bug updated.
https://github.com/ovn-org/ovn-kubernetes/pull/3151 takes a first stab at doing this.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:1326