Loading...

XML

Word

Printable

Description of problem:

the namespace the application is deployed to is member of the service mesh
there are following configs in the deployment of the app
traffic.sidecar.istio.io/excludeInboundPorts: <port>
traffic.sidecar.istio.io/excludeOutboundIPRanges: <ip_list>
traffic.sidecar.istio.io/includeInboundPorts: '*'
traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
there are other network policies added to the namespace beside the two netpols that are created by the service mesh by default
the namespace is using EGRESS_IP assignment
the service type is NodePort
the network config is set to routingViaHost=true
the externalTrafficPolicy of the service is local -> in this scenario accessing the application from the F5 loadbalancers doesn't work

Connectivity issue between external F5 Loadbalancer is accessing http health endpoint on NodePort 30442
F5 LB IP 1 to NodePort 30442
F5 LB IP 2 to NodePort 30442

Net Policy with 0.0.0.0/0 from https://access.redhat.com/solutions/6999225 didn't solve the problem.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-ingress-from-outside
spec:
podSelector: {}
ingress:

from:
ipBlock:
cidr: <address/<mask> --> Add the necessary external network addresses that access the respective services
policyTypes:
Ingress

Version-Release number of selected component (if applicable):
4.14.

How reproducible:

Local reproduction of the problem failed so far due to the complexity of the customer's setup

Steps to Reproduce:
n/a

Actual results:
Accessing the service from the F5 Loadbalancer doesn't work (can't be checked via /health endpoint

Expected results:
Service should be accessible

Additional info:

Affected Platforms:
Customer is running on VSphere

Data attached

Service Mesh Must Gather (servicemesh-must-gather.local.448886470022687832.tar.xz)
Regular Must Gather (must-gather.local.6749618347009820290.tar.xz)
Namespace Inspect of the affected pod that can't be reached (<ns>-inspect.local.9057403696363463024.tar.xz)