2083116 – OVN-Kubernetes: EgressIP breaks access from a pod to outside depending on if its on an egressNode or not

Bug 2083116 - OVN-Kubernetes: EgressIP breaks access from a pod to outside depending on if its on an egressNode or not

Summary: OVN-Kubernetes: EgressIP breaks access from a pod to outside depending on if ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.10.z
Assignee:	Surya Seetharaman
QA Contact:	huirwang
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2095713 (view as bug list)
Depends On:	2070929
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-09 10:28 UTC by Surya Seetharaman
Modified:	2022-07-29 06:21 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-23 13:25:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift ovn-kubernetes pull 1084	None	open	[release-4.10] Bug 2083116: delete SNAT2NIP if pod.node == egressNodeServingPod	2022-05-09 10:53:52 UTC
Red Hat Knowledge Base (Solution)	6962941	None	None	None	2022-06-13 13:53:46 UTC
Red Hat Product Errata	RHBA-2022:2258	None	None	None	2022-05-23 13:25:34 UTC

Description Surya Seetharaman 2022-05-09 10:28:14 UTC

This bug was initially created as a copy of Bug #2070929

I am copying this bug because: 



OVN-Kubernetes: EgressIP breaks access from a pod with EgressIP to other host networked pods on different nodes

Scenario:

* pod <podA> on node <nodeA> in namespace <nsA> accesses a host networked pod <podB> on node <nodeB>
* EgressIP <eipA> is assigned to namespace <nsA>
* Traffic from <podA> to <podB> breaks

Pods:
~~~
[akaris@linux 2070878]$ oc get pods -A -o wide | grep egress | grep -v debug
e2e-test-egressip-8wznm                            egressip-target-daemonset-sq27b                              1/1     Running     0               19m    10.0.135.215   ip-10-0-135-215.ec2.internal   <none>           <none>
e2e-test-egressip-pfvtq                            e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p          1/1     Running     0               19m    10.128.2.20    ip-10-0-144-143.ec2.internal   <none>           <none>
[akaris@linux 2070878]$ 
~~~

Before applying the EgressIP:
================================================

curl from 
~~~
~ $ curl 10.0.135.215:32667/clientip
10.0.144.143:49524~ $ 
~~~

Tcpdump on node/ip-10-0-144-143.ec2.internal - we see that the traffic is SNAT'ed to the source node and then sent to the destination node:
~~~
sh-4.4# tcpdump -nne -i ens5 host 10.0.135.215 and port 32667
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
10:44:21.980235 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 74: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [S], seq 337255231, win 26583, options [mss 8861,sackOK,TS val 2215492582 ecr 0,nop,wscale 7], length 0
10:44:21.981733 0e:4c:94:8d:88:a3 > 0e:61:09:b2:50:0b, ethertype IPv4 (0x0800), length 74: 10.0.135.215.32667 > 10.0.144.143.49524: Flags [S.], seq 1450458968, ack 337255232, win 26847, options [mss 8961,sackOK,TS val 2693376292 ecr 2215492582,nop,wscale 7], length 0
10:44:21.982334 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 156: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [P.], seq 1:91, ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 90
10:44:21.982339 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 66: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [.], ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 0
(...)
~~~

We see the same traffic on the destination host ip-10-0-135-215.ec2.internal:
~~~
h-4.4# tcpdump -nne -i ens5 host 10.0.135.215 and port 32667
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
10:44:21.980683 0a:a8:54:d9:eb:39 > 0a:71:d0:10:a3:bd, ethertype IPv4 (0x0800), length 74: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [S], seq 337255231, win 26583, options [mss 8861,sackOK,TS val 2215492582 ecr 0,nop,wscale 7], length 0
10:44:21.981285 0a:71:d0:10:a3:bd > 0a:a8:54:d9:eb:39, ethertype IPv4 (0x0800), length 74: 10.0.135.215.32667 > 10.0.144.143.49524: Flags [S.], seq 1450458968, ack 337255232, win 26847, options [mss 8961,sackOK,TS val 2693376292 ecr 2215492582,nop,wscale 7], length 0
10:44:21.982748 0a:a8:54:d9:eb:39 > 0a:71:d0:10:a3:bd, ethertype IPv4 (0x0800), length 156: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [P.], seq 1:91, ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 90
10:44:21.982796 0a:a8:54:d9:eb:39 > 0a:71:d0:10:a3:bd, ethertype IPv4 (0x0800), length 66: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [.], ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 0
(...)
~~~

Comment 6 errata-xmlrpc 2022-05-23 13:25:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.10.15 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2258

Comment 7 Christian Passarelli 2022-06-13 14:13:33 UTC

*** Bug 2095713 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.