Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-5077

Service spec value `externalTrafficPolicy` does not trigger rules update in ovnkube-node pod handlers on edit

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Undefined
    • None
    • 4.10.z
    • Networking / ovn-kubernetes
    • None
    • Low
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      [ovn] [ocp 4.10.z] Service `spec.externalTrafficPolicy` does not trigger rules update in ovnkube-node pod handlers on edit, even though it does successfully update the rules if deployed explicitly with that spec value set, or if you delete the handler pods for ovn (forces a refresh).

      Version-Release number of selected component (if applicable):

      observed in 4.10.32 and 4.10.40, tested on azure platform.

      How reproducible:

      every time

      Steps to Reproduce:

      1. Deploy a test pod with curlable resource in a test namespace

2. create a service from yaml exposing pod at internal clusterIP (example yaml provided by customer below)
~~~ 
apiVersion: v1
kind: Service
metadata:
  labels:
    run: test
  name: test
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    service.beta.kubernetes.io/azure-load-balancer-internal-subnet: paas1
spec:
  allocateLoadBalancerNodePorts: true
  externalTrafficPolicy: Cluster ##MODIFY THIS SPEC VALUE AND OBSERVE FAIL CONDITION
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - port: 8000
    protocol: TCP
    targetPort: 8000
  selector:
    run: test
  sessionAffinity: None
  type: LoadBalancer
~~~

3. curl against service succeeds
4. edit service to change `spec.externalTrafficPolicy: local`
5. observe externalIP does not change, but healthz port updates
6. curl against same externalIP:port time out indefinitely, no response.

//workaround: 

delete service and redeploy with spec line set already to `local`, or delete ovnkube-node pod serving pod(s) to force refresh the local ruleset and allow traffic (curls subsequently will succeed).

      Actual results:

      spec change appears to update properly in the database but does not send a notification to update the ovnkube-node pod handlers (or similar) to allow traffic through once the externalTrafficPolicy spec value is changed.

      Expected results:

      spec change to service yaml should be immediately updated in DB AND update ovnkube-node handlers for same.

      Additional info:

      Attachments available and case number with specifics in next internal comment.

      Attachments

        Issue Links

          depends on

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2554 ingress, authentication and console operator goes to degraded after switching default application router scope

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/ovn-kubernetes#1463: OCPBUGS-5077: [release-4.10] Fix load balancer health check locking and update

          Activity

            People

              trozet@redhat.com Tim Rozet
              rhn-support-wrussell Will Russell
              Arti Sood Arti Sood
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: