-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
4.15.z
-
No
-
Rejected
-
False
-
Description of problem:
After removing blocking iptables rule on port 9107, egressip is not re-assigned
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. label one node to be egress node
$ oc label node jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk "k8s.ovn.org/egress-assignable"=""
node/jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk labeled
2. Configure an egressip object, egressip should be assigned to the egress node
$ oc apply -f /tmp/e2e-test-networking-9k28diqk-fff5j-v32gywzbresource.json
egressip.k8s.ovn.org/egressip-54045 created
$ oc get egressips.k8s.ovn.org
NAME EGRESSIPS ASSIGNED NODE ASSIGNED EGRESSIPS
egressip-54045 10.0.141.11 jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk 10.0.141.11
3. Add an iptables rule to block egressip health check port 9107 on the egress node, egressip should be unassigned once the port 9107 is blocked
$ oc debug node/jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk
Temporary namespace openshift-debug-bkwn6 is created for debugging node...
Starting pod/jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk-debug-2tmvr ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.128.4
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-5.1# iptables -I INPUT 1 -p tcp --destination-port 9107 -j DROP
sh-5.1#
sh-5.1#
sh-5.1# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:astergatefax
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere /* gcp LB vip existing */ ADDRTYPE match dst-type !LOCAL state RELATED,ESTABLISHEDChain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 169.254.169.1
ACCEPT all -- 169.254.169.1 anywhere
ACCEPT all -- anywhere 172.30.0.0/16
ACCEPT all -- 172.30.0.0/16 anywhere
REJECT tcp -- anywhere anywhere tcp dpt:22624 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:22623 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:22624 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:22623 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
KUBE-FIREWALL all -- anywhere anywhere Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- !127.0.0.0/8 127.0.0.0/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNATChain KUBE-KUBELET-CANARY (0 references)
target prot opt source destination
[jechen@jechen ~]$
[jechen@jechen ~]$
[jechen@jechen ~]$ oc get egressips.k8s.ovn.org
NAME EGRESSIPS ASSIGNED NODE ASSIGNED EGRESSIPS
egressip-54045 10.0.141.11
4. Delete the blocking port 9107 iptables rule
$ oc debug node/jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk
Temporary namespace openshift-debug-z6p8c is created for debugging node...
Starting pod/jechen-0104-gcp-sts-o-8l7xd-worker-a-9mdmk-debug-5whbt ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.128.4
If you don't see a command prompt, try pressing enter.
sh-4.4# iptables -D INPUT -p tcp --destination-port 9107 -j DROP
sh: iptables: command not found
sh-4.4# chroot /host
sh-5.1# iptables -D INPUT -p tcp --destination-port 9107 -j DROP
sh-5.1# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere /* gcp LB vip existing */ ADDRTYPE match dst-type !LOCAL state RELATED,ESTABLISHEDChain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 169.254.169.1
ACCEPT all -- 169.254.169.1 anywhere
ACCEPT all -- anywhere 172.30.0.0/16
ACCEPT all -- 172.30.0.0/16 anywhere
REJECT tcp -- anywhere anywhere tcp dpt:22624 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:22623 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:22624 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:22623 flags:FIN,SYN,RST,ACK/SYN reject-with icmp-port-unreachable
KUBE-FIREWALL all -- anywhere anywhere Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- !127.0.0.0/8 127.0.0.0/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNATChain KUBE-KUBELET-CANARY (0 references)
target prot opt source destination
sh-5.1# exit
exit
sh-4.4# exit
exitRemoving debug pod ...
Temporary namespace openshift-debug-lvffh was removed.
[jechen@jechen ~]$
[jechen@jechen ~]$
[jechen@jechen ~]$ oc get egressips.k8s.ovn.org
NAME EGRESSIPS ASSIGNED NODE ASSIGNED EGRESSIPS
egressip-54045 10.0.141.11
Actual results:
egressip is not re-assigned back to the egress node
Expected results:
egressip should be re-assigned back to the egress node
Additional info:
must-gather: https://drive.google.com/file/d/124RU6Yq7l95sMbTYpqt53vQaHumnOXrM/view?usp=sharing
