Loading...

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.16
Component/s: Networking / multus
Labels:
- test-blocker

Severity:
Important
Regression:
No
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Links:

Description of problem:
The testing results showed that the pod with the annotation k8s.v1.cni.cncf.io/networks: ip-overlapping-true-1 can communicate with pods having the annotation k8s.v1.cni.cncf.io/networks: ip-overlapping-true-2

Version-Release number of selected component (if applicable):
4.16.0-0.nightly-2024-04-22-023835

How reproducible:
Always

Steps to Reproduce:

{code:java}
####  Creating a new-project test
####  Configuring first NetworkAttachmentDefinition CR
oc create -f ip-overlapping-true-net-NAD1.yaml

####  Verifying the configued NetworkAttachmentDefinition CR
oc get net-attach-def ip-overlapping-true-1 -o yaml
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
  creationTimestamp: "2024-04-22T19:39:43Z"
  generation: 1
  name: ip-overlapping-true-1
  namespace: test
  resourceVersion: "50612"
  uid: bfb882dc-ecad-43fd-8d90-f7b147185ebf
spec:
  config: |
    {
      "cniVersion": "0.3.1",
      "name": "ip-overlapping-true-1",
      "type": "macvlan",
      "mode": "bridge",
      "ipam": {
        "type": "whereabouts",
        "range": "192.168.20.0/29",
        "enable_overlapping_ranges": true,
        "network_name": "ip-overlapping-true-1"
      }
    }

####  Configuring pods using first additional network
oc create -f ip-overlapping-true-net-POD1.yaml

#### Verifying multus ippools showing correct names
oc get overlappingrangeipreservations.whereabouts.cni.cncf.io -A
NAMESPACE          NAME                                 AGE
openshift-multus   ip-overlapping-true-1-192.168.20.1   33s
openshift-multus   ip-overlapping-true-1-192.168.20.2   33s
openshift-multus   ip-overlapping-true-1-192.168.20.3   33s
openshift-multus   ip-overlapping-true-1-192.168.20.4   32s
openshift-multus   ip-overlapping-true-1-192.168.20.5   32s
openshift-multus   ip-overlapping-true-1-192.168.20.6   32s

oc get ippools --all-namespaces
NAMESPACE          NAME                                    AGE
openshift-multus   ip-overlapping-true-1-192.168.20.0-29   60s

####  Verifying the pods getting the correct IP addresses for secondary interface
oc get pod
NAME                                            READY   STATUS    RESTARTS   AGE
ip-overlapping-true-net-pod1-64f86c48d5-2ftn7   1/1     Running   0          18s
ip-overlapping-true-net-pod1-64f86c48d5-4jdxn   1/1     Running   0          18s
ip-overlapping-true-net-pod1-64f86c48d5-4n7b2   1/1     Running   0          18s
ip-overlapping-true-net-pod1-64f86c48d5-8gztl   1/1     Running   0          18s
ip-overlapping-true-net-pod1-64f86c48d5-qvmz6   1/1     Running   0          18s
ip-overlapping-true-net-pod1-64f86c48d5-swc2q   1/1     Running   0          18s


for podname in `oc get pod -o wide -n test  | grep pod | grep Running | awk '{print $1}'`; do echo $podname; oc -n test exec $podname -- ip a | grep 192.168; done
    inet 192.168.20.4/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod1-64f86c48d5-4jdxn
    inet 192.168.20.5/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod1-64f86c48d5-4n7b2
    inet 192.168.20.2/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod1-64f86c48d5-8gztl
    inet 192.168.20.3/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod1-64f86c48d5-qvmz6
    inet 192.168.20.1/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod1-64f86c48d5-swc2q
    inet 192.168.20.6/29 brd 192.168.20.7 scope global net1

####  Verifying the pods can communicate each other in the same subnet.
oc rsh ip-overlapping-true-net-pod1-64f86c48d5-2ftn7
~ $ curl 192.168.20.1:8080
ip-overlapping-true-net-pod1
~ $ curl 192.168.20.2:8080
ip-overlapping-true-net-pod1
~ $ curl 192.168.20.3:8080
ip-overlapping-true-net-pod1
~ $ curl 192.168.20.4:8080
ip-overlapping-true-net-pod1
~ $ curl 192.168.20.5:8080
ip-overlapping-true-net-pod1
~ $ curl 192.168.20.6:8080
ip-overlapping-true-net-pod1


####  Configuring secondary NetworkAttachmentDefinition CR
oc create -f ip-overlapping-true-net-NAD2.yaml

####  Verifying the secondary configued NetworkAttachmentDefinition CRs
oc get net-attach-def ip-overlapping-true-2 -o yaml
apiVersion: k8s.cni.cncf.io/v1
kind: NetworkAttachmentDefinition
metadata:
  creationTimestamp: "2024-04-22T19:52:55Z"
  generation: 1
  name: ip-overlapping-true-2
  namespace: test
  resourceVersion: "54869"
  uid: fbe3366d-6f75-4f3d-a76e-62a5f4769ead
spec:
  config: |
    {
      "cniVersion": "0.3.1",
      "name": "ip-overlapping-true-2",
      "type": "macvlan",
      "mode": "bridge",
      "ipam": {
        "type": "whereabouts",
        "range": "192.168.20.0/29",
        "enable_overlapping_ranges": true,
        "network_name": "ip-overlapping-true-2"
      }
    }

####  Configuring pods using secondary additional network
oc create -f ip-overlapping-true-net-POD2.yaml

#### Verifying multus ippools showing correct names
oc get overlappingrangeipreservations.whereabouts.cni.cncf.io -A
NAMESPACE          NAME                                 AGE
openshift-multus   ip-overlapping-true-1-192.168.20.1   4m39s
openshift-multus   ip-overlapping-true-1-192.168.20.2   4m39s
openshift-multus   ip-overlapping-true-1-192.168.20.3   4m39s
openshift-multus   ip-overlapping-true-1-192.168.20.4   4m38s
openshift-multus   ip-overlapping-true-1-192.168.20.5   4m38s
openshift-multus   ip-overlapping-true-1-192.168.20.6   4m38s
openshift-multus   ip-overlapping-true-2-192.168.20.1   36s
openshift-multus   ip-overlapping-true-2-192.168.20.2   36s
openshift-multus   ip-overlapping-true-2-192.168.20.3   35s
openshift-multus   ip-overlapping-true-2-192.168.20.4   35s
openshift-multus   ip-overlapping-true-2-192.168.20.5   35s
openshift-multus   ip-overlapping-true-2-192.168.20.6   35s

oc get ippools --all-namespaces
NAMESPACE          NAME                                    AGE
openshift-multus   ip-overlapping-true-1-192.168.20.0-29   4m45s
openshift-multus   ip-overlapping-true-2-192.168.20.0-29   42s


####  Verifying the pods can not get the correct IP addresses for secondary interface
oc get pod
NAME                                            READY   STATUS    RESTARTS   AGE
ip-overlapping-true-net-pod1-64f86c48d5-2ftn7   1/1     Running   0          3m7s
ip-overlapping-true-net-pod1-64f86c48d5-4jdxn   1/1     Running   0          3m7s
ip-overlapping-true-net-pod1-64f86c48d5-4n7b2   1/1     Running   0          3m7s
ip-overlapping-true-net-pod1-64f86c48d5-8gztl   1/1     Running   0          3m7s
ip-overlapping-true-net-pod1-64f86c48d5-qvmz6   1/1     Running   0          3m7s
ip-overlapping-true-net-pod1-64f86c48d5-swc2q   1/1     Running   0          3m7s
ip-overlapping-true-net-pod2-7f9f65cb8f-27knz   1/1     Running   0          56s
ip-overlapping-true-net-pod2-7f9f65cb8f-9ng5g   1/1     Running   0          56s
ip-overlapping-true-net-pod2-7f9f65cb8f-hfnpv   1/1     Running   0          56s
ip-overlapping-true-net-pod2-7f9f65cb8f-pdsqm   1/1     Running   0          56s
ip-overlapping-true-net-pod2-7f9f65cb8f-svgnp   1/1     Running   0          56s
ip-overlapping-true-net-pod2-7f9f65cb8f-zt7nj   1/1     Running   0          56s

for podname in `oc get pod -o wide -n test  | grep pod | grep Running | awk '{print $1}'`; do echo $podname; oc -n test exec $podname -- ip a | grep 192.168; done
ip-overlapping-true-net-pod1-64f86c48d5-2ftn7
    inet 192.168.20.4/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod1-64f86c48d5-4jdxn
    inet 192.168.20.5/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod1-64f86c48d5-4n7b2
    inet 192.168.20.2/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod1-64f86c48d5-8gztl
    inet 192.168.20.3/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod1-64f86c48d5-qvmz6
    inet 192.168.20.1/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod1-64f86c48d5-swc2q
    inet 192.168.20.6/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod2-7f9f65cb8f-27knz
    inet 192.168.20.4/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod2-7f9f65cb8f-9ng5g
    inet 192.168.20.6/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod2-7f9f65cb8f-hfnpv
    inet 192.168.20.1/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod2-7f9f65cb8f-pdsqm
    inet 192.168.20.2/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod2-7f9f65cb8f-svgnp
    inet 192.168.20.3/29 brd 192.168.20.7 scope global net1
ip-overlapping-true-net-pod2-7f9f65cb8f-zt7nj
    inet 192.168.20.5/29 brd 192.168.20.7 scope global net1

####  Verifying the pods can communicate each other in the same subnet.
$ oc rsh ip-overlapping-true-net-pod1-64f86c48d5-2ftn7
~ $ curl 192.168.20.1:8080
ip-overlapping-true-net-pod2
~ $ curl 192.168.20.2:8080
ip-overlapping-true-net-pod2
~ $ curl 192.168.20.3:8080
ip-overlapping-true-net-pod2
~ $ curl 192.168.20.4:8080
ip-overlapping-true-net-pod1
~ $ curl 192.168.20.5:8080
ip-overlapping-true-net-pod2
~ $ curl 192.168.20.6:8080
ip-overlapping-true-net-pod2

Actual results:
ip-overlapping-true-net-pod1-64f86c48d5-2ftn7 can communicate with any pods created in k8s.v1.cni.cncf.io/networks: ip-overlapping-true-2

Expected results:
ip-overlapping-true-net-pod1-64f86c48d5-2ftn7 should not communicate with any pods created in k8s.v1.cni.cncf.io/networks: ip-overlapping-true-2

Additional info:

Details

Description

Attachments

Activity

People

Dates