-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.14.z
-
None
Description of problem:
After upgrading from 4.12 to 4.14, the customer reports that the pods cannot reach their service when a NetworkAttachmentDefinition is set.
How reproducible:
Create a NetworkAttachmentDefinition
Steps to Reproduce:
1.Create a pod with a service.
2. Curl the service from inside the pod. Works.
3. Create a NetworkAttachmentDefinition.
4. The same curl does not work
Actual results:
Pod does not reach service
Expected results:
Pod reaches service
Additional info:
specifically updating the bug overview for posterity here but the specific issue is that we have pods set up with an exposed port (8080 - port doesn't matter), and a service with 1 endpoint pointing to the specific pod. We can call OTHER PODS in the same namespace via their single-endpoint call service, but we cannot call OURSELVES from inside the pod.
The issue is with hairpinning loopback return. Is not affected by networkpolicy and appears to be an issue with (as discovered later in this jira) asymmetric routing in that return path to the container after it leaves the local net.
This behavior is only observed when a network-attachment-definition is added to the pod and appears to be an issue with the way route rules are defined.
A workaround is available to inject the container with a route specicically, or modify the Net-attach-def to ensure a loopback route is available to the container space.
KCS for this problem with workarounds + patch fix versions (when available): https://access.redhat.com/solutions/7084866
- clones
-
-
- ON_QA
-
- depends on
-
-
- ON_QA
-
- links to
