2099755 – EgressIP node's mgmtIP reachability configuration option

Bug 2099755 - EgressIP node's mgmtIP reachability configuration option

Summary: EgressIP node's mgmtIP reachability configuration option

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.11.0
Assignee:	Mohamed Mahmoud
QA Contact:	jechen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-21 16:00 UTC by Mohamed Mahmoud
Modified:	2022-08-10 11:19 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-08-10 11:18:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift ovn-kubernetes pull 1156	0	None	open	Bug 2099755: Add new EgressIP config option "egressip-reachability-total-timeout"	2022-06-22 15:55:26 UTC
Red Hat Product Errata	RHSA-2022:5069	0	None	None	None	2022-08-10 11:19:18 UTC

Description Mohamed Mahmoud 2022-06-21 16:00:14 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 6 jechen 2022-06-24 18:28:41 UTC

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2022-06-23-153912   True        False         4h48m   Cluster version is 4.11.0-0.nightly-2022-06-23-153912

$ oc debug node/$(oc -n openshift-network-operator get pod -l name=network-operator -o jsonpath='{.items[0].spec.nodeName}') -- chroot /host bash -c 'sed -i -e "/enable-egress-ip=true/a\    egressip-reachability-total-timeout=10"  "/proc/$(pgrep -f [c]luster-network-operator)/root/bindata/network/ovn-kubernetes/self-hosted/004-config.yaml"'
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Starting pod/jechen-0624a-q9hpw-master-2copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`

Removing debug pod ...


$ oc delete -n openshift-ovn-kubernetes  cm ovnkube-config
configmap "ovnkube-config" deleted

$ oc -n openshift-ovn-kubernetes  get cm
NAME                       DATA   AGE
control-plane-status       1      3h44m
kube-root-ca.crt           1      3h45m
openshift-service-ca.crt   1      3h45m
ovn-ca                     1      3h45m
ovn-kubernetes-master      0      3h44m
ovnkube-config             1      28s
signer-ca                  1      3h45m


$ oc -n openshift-ovn-kubernetes  get cm ovnkube-config -oyaml
apiVersion: v1
data:
  ovnkube.conf: |-
    [default]
    mtu="1360"
    cluster-subnets="10.128.0.0/14/23"
    encap-port="6081"
    enable-lflow-cache=true
    lflow-cache-limit-kb=1048576

    [kubernetes]
    service-cidrs="172.30.0.0/16"
    ovn-config-namespace="openshift-ovn-kubernetes"
    apiserver="https://api-int.jechen-0624a.qe.gcp.devcluster.openshift.com:6443"
    host-network-namespace="openshift-host-network"
    platform-type="GCP"

    [ovnkubernetesfeature]
    enable-egress-ip=true
    egressip-reachability-total-timeout=10      
    enable-egress-firewall=true
    enable-egress-qos=true

    [gateway]
    mode=shared
    nodeport=true
kind: ConfigMap
metadata:
  creationTimestamp: "2022-06-24T16:47:49Z"
  name: ovnkube-config
  namespace: openshift-ovn-kubernetes
  ownerReferences:
  - apiVersion: operator.openshift.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: Network
    name: cluster
    uid: 118a54e3-d8a2-4602-bbc2-eed1f824cb84
  resourceVersion: "100006"
  uid: d8f352db-db59-453b-ba9e-71f238075b9f



# However, if I configure egressip-reachability-total-timeout to 5 using same commands above, I got two entries in ovnkube-config, is this correct?

$ oc -n openshift-ovn-kubernetes  get cm ovnkube-config -oyaml
apiVersion: v1
data:
  ovnkube.conf: |-
    [default]
    mtu="1360"
    cluster-subnets="10.128.0.0/14/23"
    encap-port="6081"
    enable-lflow-cache=true
    lflow-cache-limit-kb=1048576

    [kubernetes]
    service-cidrs="172.30.0.0/16"
    ovn-config-namespace="openshift-ovn-kubernetes"
    apiserver="https://api-int.jechen-0624a.qe.gcp.devcluster.openshift.com:6443"
    host-network-namespace="openshift-host-network"
    platform-type="GCP"

    [ovnkubernetesfeature]
    enable-egress-ip=true
    egressip-reachability-total-timeout=5
    egressip-reachability-total-timeout=10
    enable-egress-firewall=true
    enable-egress-qos=true

    [gateway]
    mode=shared
    nodeport=true
kind: ConfigMap
metadata:
  creationTimestamp: "2022-06-24T18:12:55Z"
  name: ovnkube-config
  namespace: openshift-ovn-kubernetes
  ownerReferences:
  - apiVersion: operator.openshift.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: Network
    name: cluster
    uid: 118a54e3-d8a2-4602-bbc2-eed1f824cb84
  resourceVersion: "129763"
  uid: e4ffce14-0265-4e91-a04d-e8c5e05d8504

Comment 7 jechen 2022-06-24 18:51:15 UTC

checked with Mohamed Mahmoud, this bug is about being able to configure egressip-reachability-total-timeout, seeing two entries after two configuration is correct.  Will verify egressIP with egressip-reachability-total-timeout configured when his API PR https://github.com/openshift/api/pull/1210 is merged

Comment 8 errata-xmlrpc 2022-08-10 11:18:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069

Note You need to log in before you can comment on or make changes to this bug.