-
Bug
-
Resolution: Done
-
Undefined
-
None
-
4.12
-
Important
-
1
-
OCP VE Sprint 224, OCP VE Sprint 225
-
2
-
False
-
Description of problem:
Version-Release number of selected component (if applicable):
4.12.0-0.nightly-2022-08-15-150248
How reproducible:
Steps to Reproduce:
1. Label one node as egress node
2. Create egressIP object $ oc get egressip -o yaml
apiVersion: k8s.ovn.org/v1 kind: EgressIP metadata: creationTimestamp: "2022-08-19T07:00:13Z" generation: 4 name: egressip resourceVersion: "164963" uid: da91f9ce-71da-4003-ba4e-df7d7c0f23d0 spec: egressIPs: - 192.168.12.246 namespaceSelector: matchLabels: org: pm status: items: - egressIP: 192.168.12.246 node: huirwang-0819a-ngdlt-worker-0
3. Created a namespace and test pods in it. The test pods scaled to 10. added org=pm label to it.
4. Scale down CNO to 0
5. Delete ovnkube-master pods
6. Scaled test pods to 1
$ $ oc get pods -n eags6 -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
test-rc-bd56x 1/1 Running 0 17m 10.131.0.18 huirwang-0819a-ngdlt-worker-0 <none> <none>
$ oc get ns eags6 --show-labels
NAME STATUS AGE LABELS
eags6 Active 18m kubernetes.io/metadata.name=eags6,org=pm,pod-security.kubernetes.io/enforce-version=v1.24,pod-security.kubernetes.io/enforce=restricted
7. Scale up CNO to 1
8. Check lr-policy-list and snat
Actual results:
No lr-policy-list for egressip but it had snat here sh-4.4# ovn-nbctl lr-policy-list ovn_cluster_router
Routing Policies
1004 inport == "rtos-huirwang-0819a-ngdlt-master-0" && ip4.dst == 192.168.0.91 /* huirwang-0819a-ngdlt-master-0 */ reroute 10.128.0.2
1004 inport == "rtos-huirwang-0819a-ngdlt-master-1" && ip4.dst == 192.168.0.5 /* huirwang-0819a-ngdlt-master-1 */ reroute 10.129.0.2
1004 inport == "rtos-huirwang-0819a-ngdlt-master-1" && ip4.dst == 192.168.3.38 /* huirwang-0819a-ngdlt-master-1 */ reroute 10.129.0.2
1004 inport == "rtos-huirwang-0819a-ngdlt-master-2" && ip4.dst == 192.168.3.48 /* huirwang-0819a-ngdlt-master-2 */ reroute 10.130.0.2
1004 inport == "rtos-huirwang-0819a-ngdlt-worker-0" && ip4.dst == 192.168.2.179 /* huirwang-0819a-ngdlt-worker-0 */ reroute 10.131.0.2
1004 inport == "rtos-huirwang-0819a-ngdlt-worker-1" && ip4.dst == 192.168.2.134 /* huirwang-0819a-ngdlt-worker-1 */ reroute 10.128.2.2
1004 inport == "rtos-huirwang-0819a-ngdlt-worker-2" && ip4.dst == 192.168.0.7 /* huirwang-0819a-ngdlt-worker-2 */ reroute 10.129.2.2
1004 inport == "rtos-huirwang-0819a-ngdlt-worker-2" && ip4.dst == 192.168.3.202 /* huirwang-0819a-ngdlt-worker-2 */ reroute 10.129.2.2
101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.128.0.0/14 allow
101 ip4.src == 10.128.0.0/14 && ip4.dst == 100.64.0.0/16 allow
101 ip4.src == 10.128.0.0/14 && ip4.dst == 192.168.0.91/32 allow
101 ip4.src == 10.128.0.0/14 && ip4.dst == 192.168.2.134/32 allow
101 ip4.src == 10.128.0.0/14 && ip4.dst == 192.168.2.179/32 allow
101 ip4.src == 10.128.0.0/14 && ip4.dst == 192.168.3.202/32 allow
101 ip4.src == 10.128.0.0/14 && ip4.dst == 192.168.3.38/32 allow
101 ip4.src == 10.128.0.0/14 && ip4.dst == 192.168.3.48/32 allow
sh-4.4# ovn-nbctl --format=csv find nat external_ids:name=egressip
_uuid,allowed_ext_ips,exempted_ext_ips,external_ids,external_ip,external_mac,external_port_range,gateway_port,logical_ip,logical_port,options,type
b5dd675f-94c3-4529-bb1c-ab264f563d63,[],[],{name=egressip},"""192.168.12.246""",[],"""""",[],"""10.131.0.18""",k8s-huirwang-0819a-ngdlt-worker-0,"{stateless=""false""}",snat
The source IP of egress traffic was not EgressIP
$ oc rsh -n eags6 test-rc-bd56x
~ $ curl 192.168.3.11:9095
192.168.2.179~
Expected results:
EgressIP lr-policy-list should be updated correctly.
Actual results:
Expected results:
Additional info: