Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-48828

[4.17z] Pod running on a node on which egress IPv6 is assigned, not able to communicate with k8s service in a dual stack cluster.

XMLWordPrintable

    • +
    • Important
    • None
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, when a pod was running on a node on which egress IPv6 is assigned, the pod was not able to communicate with the Kubernetes service in a dual-stack cluster. This resulted in traffic with the IP family, that the `egressIP` object is not applicable to, being dropped. With this release, only the source network address translation (SNAT) for the IP family that the egress IP applied to is deleted, eliminating the risk of traffic being dropped. (link:https://issues.redhat.com/browse/OCPBUGS-48828[*OCPBUGS-48828*])
      Show
      * Previously, when a pod was running on a node on which egress IPv6 is assigned, the pod was not able to communicate with the Kubernetes service in a dual-stack cluster. This resulted in traffic with the IP family, that the `egressIP` object is not applicable to, being dropped. With this release, only the source network address translation (SNAT) for the IP family that the egress IP applied to is deleted, eliminating the risk of traffic being dropped. (link: https://issues.redhat.com/browse/OCPBUGS-48828 [* OCPBUGS-48828 *])
    • Bug Fix
    • Done
    • Customer Escalated

      Description of problem:

      I have a case, where when a customer tried to curl the k8s svc from the pod which was scheduled on a node on which egress IPv6 is attached, getting connection timed out.

      They have configured IPv4 egressIP and IPv6 egressIP in a single egress object, which is not working as expected and they are not able to get a response while curling to the k8s svc but when try to curl the DNS service, it is working.

       

      $ oc get egressips.k8s.ovn.org -o yaml
apiVersion: v1
items:
- apiVersion: k8s.ovn.org/v1
  kind: EgressIP
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"k8s.ovn.org/v1","kind":"EgressIP","metadata":{"annotations":{},"name":"egressip"},"spec":{"egressIPs":["10.91.131.199","2a00:8a00:4000:020c:0000:0000:0002:0955"],"namespaceSelector":{},"podSelector":{"matchLabels":{"default-egress":"enabled"}}}}
    creationTimestamp: "2024-06-12T13:25:28Z"
    generation: 5
    name: egressip
    resourceVersion: "198127"
    uid: 6fb67bf3-148b-4453-8c7c-4b2e1e467d3f
  spec:
    egressIPs:
    - 10.91.131.199
    - 2a00:8a00:4000:020c:0000:0000:0002:0955
    namespaceSelector: {}
    podSelector:
      matchLabels:
        default-egress: enabled
  status:
    items:
    - egressIP: 2a00:8a00:4000:20c::2:955
      node: slabnode2439.sprintlab750cluster.tre.nsn-rdnet.net
    - egressIP: 10.91.131.199
      node: slabnode2440.sprintlab750cluster.tre.nsn-rdnet.net
kind: List
metadata:
  resourceVersion: ""

       

       

      curl -k -v https://172.30.0.1:443/api?timeout=32s

  Trying 172.30.0.1:443...
connect to 172.30.0.1 port 443 failed: Connection timed out
Failed to connect to 172.30.0.1 port 443: Connection timed out
Closing connection 0
curl: (28) Failed to connect to 172.30.0.1 port 443: Connection timed out

      But when they created two separate egress objects for IPv4 and IPv6 egress assignment, they are able to curl the k8s svc IP.

      $ oc get egressips.k8s.ovn.org NAME EGRESSIPS ASSIGNED NODE ASSIGNED EGRESSIPS egressip 10.91.131.199 slabnode2440.sprintlab750cluster.tre.nsn-rdnet.net 10.91.131.199 egressip-ipv6 2a00:8a00:4000:020c:0000:0000:0002:0955 slabnode2438.sprintlab750cluster.tre.nsn-rdnet.net 2a00:8a00:4000:20c::2:955

      They have not modified the Kubernetes service in the default namespace. It is a single stack with ipv4.

      • Neep help in understanding, how we can configure IPv6  and IPv4 egress IPs in a dual-stack cluster.
      • Should we need to add any on-top /additional configuration to make the default Kubernetes service dual stack? If so, can you please share the documentation for the same?

              jluhrsen Jamo Luhrsen
              rhn-support-ankhande Anjali Khandelwal
              Jean Chen Jean Chen
              Padraig OGrady Padraig OGrady
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: