Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-24219

Azure - OCP IPI Installation UDP packets are subject to SNAT with LB Service using ETP equals to Local (OVN-Kubernetes as CNI)

XMLWordPrintable

    • Critical
    • No
    • SDN Sprint 246, SDN Sprint 247, SDN Sprint 248
    • 3
    • False
    • Hide

      None

      Show
      None
    • Hide
      * For {product-title} clusters on {azure-full}, when using OVN-Kubernetes as the Container Network Interface (CNI), there was an issue where the source IP recognized by the pod was the OVN gateway router of the node when using a load balancer service with `externalTrafficPolicy: Local`. This occurred due to a Source Network Address Translation (SNAT) being applied to UDP packets.
      +
      With this update, session affinity without a timeout is possible by setting the affinity timeout to a higher value, for example, `86400` seconds, or 24 hours. As a result, the affinity is treated as permanent unless there are network disruptions like endpoints or nodes going down. As a result, session affinity is more persistent. (link:https://issues.redhat.com/browse/OCPBUGS-24219[*OCPBUGS-24219*])
      Show
      * For {product-title} clusters on {azure-full}, when using OVN-Kubernetes as the Container Network Interface (CNI), there was an issue where the source IP recognized by the pod was the OVN gateway router of the node when using a load balancer service with `externalTrafficPolicy: Local`. This occurred due to a Source Network Address Translation (SNAT) being applied to UDP packets. + With this update, session affinity without a timeout is possible by setting the affinity timeout to a higher value, for example, `86400` seconds, or 24 hours. As a result, the affinity is treated as permanent unless there are network disruptions like endpoints or nodes going down. As a result, session affinity is more persistent. (link: https://issues.redhat.com/browse/OCPBUGS-24219 [* OCPBUGS-24219 *])
    • Enhancement
    • Rejected
    • Network
    • customers who need session affinity

      UDP Packets are subject to SNAT in a self-managed OCP 4.13.13 cluster on Azure (OVN-K as CNI) using a Load Balancer Service with `externalTrafficPolicy: Local`. UDP Packets correctly arrive to the Node hosting the Pod but the source IP seen by the Pod is the OVN GW Router of the Node.

      I've reproduced the customer scenario with the following steps:

      This is issue is very critical because it is blocking customer business.

              sseethar Surya Seetharaman
              rhn-support-gizzi Giovanni Luca Izzi
              Arti Sood Arti Sood
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: