-
Bug
-
Resolution: Duplicate
-
Undefined
-
None
-
4.18, 4.19
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
Yes
-
None
-
None
-
Rejected
-
CORENET Sprint 272
-
1
-
None
-
None
-
None
-
None
-
None
-
None
-
None
This bug affects Azure clusters which do not set OutboundType: UserDefinedRouting.
In 4.14 (and likely some subsequent releases, but we have not confirmed which) if a pod was matched by an EgressIPs's match rules, that pod was able to access the public internet (e.g. ping google.com).
In 4.19 that is no longer the case. A pod matched by an EgressIP's match rules does not have external connectivity.
To be specific, take the following EgressIP (switch to text mode, because there are not enough hours in the day for me to work out how to make this preformatted in Jira markup):
apiVersion: k8s.ovn.org/v1
kind: EgressIP
metadata:
name: test
spec:
egressIPs:
- 10.0.130.1
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: test
podSelector:
matchLabels:
app: test
- Provision a new cluster
- Create a pod in namespace test with label app: test
- Exec into that pod
- ping google.com
This works on 4.14. It does not work on 4.19.
To make matters more complicated, I suspect that as the loadbalancer involved is unmanaged after installation, that if you installed a cluster on 4.14 and upgraded it to 4.19 it would work.
I summarised this in a more readable format here: https://docs.google.com/document/d/1Uy0wxYt3WJzhpgmFvRE7IVJMaQiNREK1qoJocRAdd6Q/edit?tab=t.0#heading=h.8d3gp638dpy7