Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.17.z
Affects Version/s: 4.14.z
Component/s: Networking / ovn-kubernetes
Labels:
- SDN:OVNK:EgressIP

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:

4.17.0
Release Blocker:
None
Sprint:
None

Customer Impact:

Customer Escalated
RH Private Keywords:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Test Coverage:

+

PX Review Complete:
PX Priority Data:
PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
Previously, when a pod was running on a node on which egress IPv6 is assigned, the pod was not able to communicate with the Kubernetes service in a dual stack cluster. This resulted in the traffic with the IP family, that the egressIP is not applicable to, being dropped. With this release, only the source network address translation (SNAT) for the IP family that the egress IPs applied to is deleted, eliminating the risk of traffic being dropped.
(link:https://issues.redhat.com/browse/OCPBUGS-48828[*~~OCPBUGS-48828~~*])

Show
Previously, when a pod was running on a node on which egress IPv6 is assigned, the pod was not able to communicate with the Kubernetes service in a dual stack cluster. This resulted in the traffic with the IP family, that the egressIP is not applicable to, being dropped. With this release, only the source network address translation (SNAT) for the IP family that the egress IPs applied to is deleted, eliminating the risk of traffic being dropped. (link: https://issues.redhat.com/browse/OCPBUGS-48828 [* OCPBUGS-48828 *])

Escape Reason:
Escape Impact:
Corrective Measures:
SDLC stage when should've been found:

Description of problem:

I have a case, where when a customer tried to curl the k8s svc from the pod which was scheduled on a node on which egress IPv6 is attached, getting connection timed out.

They have configured IPv4 egressIP and IPv6 egressIP in a single egress object, which is not working as expected and they are not able to get a response while curling to the k8s svc but when try to curl the DNS service, it is working.

$ oc get egressips.k8s.ovn.org -o yaml
apiVersion: v1
items:
- apiVersion: k8s.ovn.org/v1
  kind: EgressIP
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"k8s.ovn.org/v1","kind":"EgressIP","metadata":{"annotations":{},"name":"egressip"},"spec":{"egressIPs":["10.91.131.199","2a00:8a00:4000:020c:0000:0000:0002:0955"],"namespaceSelector":{},"podSelector":{"matchLabels":{"default-egress":"enabled"}}}}
    creationTimestamp: "2024-06-12T13:25:28Z"
    generation: 5
    name: egressip
    resourceVersion: "198127"
    uid: 6fb67bf3-148b-4453-8c7c-4b2e1e467d3f
  spec:
    egressIPs:
    - 10.91.131.199
    - 2a00:8a00:4000:020c:0000:0000:0002:0955
    namespaceSelector: {}
    podSelector:
      matchLabels:
        default-egress: enabled
  status:
    items:
    - egressIP: 2a00:8a00:4000:20c::2:955
      node: slabnode2439.sprintlab750cluster.tre.nsn-rdnet.net
    - egressIP: 10.91.131.199
      node: slabnode2440.sprintlab750cluster.tre.nsn-rdnet.net
kind: List
metadata:
  resourceVersion: ""

curl -k -v https://172.30.0.1:443/api?timeout=32s

  Trying 172.30.0.1:443...
connect to 172.30.0.1 port 443 failed: Connection timed out
Failed to connect to 172.30.0.1 port 443: Connection timed out
Closing connection 0
curl: (28) Failed to connect to 172.30.0.1 port 443: Connection timed out

But when they created two separate egress objects for IPv4 and IPv6 egress assignment, they are able to curl the k8s svc IP.

$ oc get egressips.k8s.ovn.org NAME EGRESSIPS ASSIGNED NODE ASSIGNED EGRESSIPS egressip 10.91.131.199 slabnode2440.sprintlab750cluster.tre.nsn-rdnet.net 10.91.131.199 egressip-ipv6 2a00:8a00:4000:020c:0000:0000:0002:0955 slabnode2438.sprintlab750cluster.tre.nsn-rdnet.net 2a00:8a00:4000:20c::2:955

They have not modified the Kubernetes service in the default namespace. It is a single stack with ipv4.

Neep help in understanding, how we can configure IPv6 and IPv4 egress IPs in a dual-stack cluster.
Should we need to add any on-top /additional configuration to make the default Kubernetes service dual stack? If so, can you please share the documentation for the same?

clones

OCPBUGS-37193 [release-4.18] Pod running on a node on which egress IPv6 is assigned, not able to communicate with k8s service in a dual stack cluster.

Closed

depends on

OCPBUGS-37193 [release-4.18] Pod running on a node on which egress IPv6 is assigned, not able to communicate with k8s service in a dual stack cluster.

Closed

is cloned by

OCPBUGS-50594 [4.16z] Pod running on a node on which egress IPv6 is assigned, not able to communicate with k8s service in a dual stack cluster.

Closed

is depended on by

OCPBUGS-50594 [4.16z] Pod running on a node on which egress IPv6 is assigned, not able to communicate with k8s service in a dual stack cluster.

Closed

links to

openshift/ovn-kubernetes#2425: [release-4.17] OCPBUGS-48828: fixes overzealous deletion of SNAT in egressIP

RHBA-2025:1403 OpenShift Container Platform 4.17.z bug fix update

(1 links to)

Assignee:: Jamo Luhrsen

Reporter:: Anjali Khandelwal

Need Info From:: None

Contributors:: None

QA Contact:: Jean Chen

Doc Contact:: Padraig OGrady

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/01/24 12:41 AM

Updated:: 2025/07/16 1:40 PM

Resolved:: 2025/02/18 5:47 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates