-
Bug
-
Resolution: Done
-
Undefined
-
4.14.z, 4.15.z, 4.17, 4.16.z, 4.18.z, 4.19.z
-
None
-
Quality / Stability / Reliability
-
False
-
-
5
-
None
-
None
-
None
-
None
-
None
-
OSDOCS Sprint 273, OSDOCS Sprint 274
-
2
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
In the this section of documentation:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/networking/ovn-kubernetes-network-plugin#nw-egress-ips-multi-nic-considerations_configuring-egress-ips-ovn
There is a cosmetic error where it says:
"In OpenShift Container Platform, egress IPs provide administrators a way to control network traffic. Egress IPs can be used with the br-ex, or primary, network interface, which is a Linux bridge interface associated with Open vSwitch, or they can be used with additional network interfaces."
br-ex is a linux interface, but it is not a linux "bridge" interface.
More importantly, the document states:
"IP forwarding must be enabled for the network interface. To enable IP forwarding, you can use the oc edit network.operator command and edit the object like the following example:
# ...
spec:
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
defaultNetwork:
ovnKubernetesConfig:
gatewayConfig:
ipForwarding: Global
# ...
"
While it is true that you can enable global IP forwarding to allow Egress IP on the secondary NIC, it isn't required and is undesirable from a security perspective. Rather than recommending this, we should recommend only enabling IP forwarding on the secondary NIC that will be acting as the Egress IP interface. That can be done with the node/tuning operator.
Version-Release number of selected component (if applicable):
4.14 and later
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info: