Bug 2090103 - Inconsistent traffic flow sequence between OpenShift-sdn and ovn-kubernetes for egressIP assigned pod.
Summary: Inconsistent traffic flow sequence between OpenShift-sdn and ovn-kubernetes f...
Keywords:
Status: CLOSED DUPLICATE of bug 2078222
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Ben Bennett
QA Contact: Anurag saxena
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-25 07:25 UTC by Manish Pandey
Modified: 2022-05-25 13:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-25 13:34:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Manish Pandey 2022-05-25 07:25:14 UTC 
Description of problem:

For egressIP assigned namespace when pod run on same node where egressIP exist the traffic for api server svc IP(172.30.0.1) get snated to egressIP and since customer do not have firewall open for source IP as egressIP  for internal cluster traffic it breaks connectivity resulting in failure of pod start on egress node.

Here are my observatic for traffic flow between OpenShift-sdn and ovn-kubernetes for egressIP assigned project.

openshift-sdn

1.Traffic from pod to external world always go through egress node and traffic get snated to egressIP.
2.Traffic from pod to any of openshift node ip address goes through egress node and get snated to egressIP
3.Traffic from pod to svc IP(172.30.0.1) backed by hostnetwork pod do not go through egress node so do not get snated to egressIP.


ovn-kubernetes

1.Traffic from pod to external world always go through egress node and traffic get snated to egressIP.
2.Traffic from pod running on egress node  to any of OpenShift node ip address get snated to egressIP.
3.Traffic from pod not running on egress node to any of OpenShift node ip address do not get snated to egressIP.
4.Traffic from pod running on egress node  to any of OpenShift svc(172.30.0.1) backed by hostNetwork pod get snated to egressIP.
5.Traffic from pod not running on egress node to any of OpenShift svc(172.30.0.1) backed by hostNetwork pod do not get snated to egressIP.


Customer have concern that in cluster traffic should not get snated to egressIP address.
Since all pod communicate to apiserver through svc IP address and in OpenShift-sdn  it never snat to egressIP they never saw this issue.
Customer have strict firewall rule which is not allowing in cluster traffic whose source IP as egressIP.

I am not sure why we have inconsistency in traffic flow between OpenShift-sdn and ovn-kubernetes especially for internal cluster traffic.

Either this should be fixed or need to be documentated so that customer is already aware of it and make sure they open relevant firewall rule.

customer is on 4.8.35 but i could also reproduce this issue on latest version of Openshift 4.9,4.10 and 4.11 nightly as well.


Version-Release number of selected component (if applicable):
OpenShift 4.8.35


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
Traffic for apiserver svc IP get snated to egressIP


Expected results:
Traffic for apiserver svc IP should not get snated to egressIP since it breaks connectivity due to firewall rule policy.
In OpenShift-sdn network plugin it never get snated for svc IP traffic but in ovn it does get snated.


Additional info:
Comment 1 Andreas Karis 2022-05-25 13:34:17 UTC 
I had already brought this up here:
https://bugzilla.redhat.com/show_bug.cgi?id=2070929#c5

And Surya forked this into a new bug: 
https://bugzilla.redhat.com/show_bug.cgi?id=2078222

*** This bug has been marked as a duplicate of bug 2078222 ***
Note You need to log in before you can comment on or make changes to this bug.