Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.16, 4.17, 4.18, 4.19, 4.20
Component/s: Cloud Compute / Cloud Controller Manager
Labels:

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Hairpin connection failed on Service type-LoadBalancer NLB with internal scheme.

The hairpin connection impacts any application which the client and server are hosted in the same node, exposed by a Service type-LoadBalancer NLB (only). The CCM creates a NLB with preserve source IP address attribute enabled by default, and does not provide interface to change it, leading to fail in those scenarios.

The Default router deployed by Cluster Ingress Controller on OCP standalone on AWS and ROSA HCP private deployments.

For more information, see upstream issue[1], and e2e tests[2] reproducing the problem on NLB.

Version-Release number of selected component (if applicable):

How reproducible:

Always

Steps to Reproduce:

Scenario 1) Standalone Service app:
- Deploy a sample server application sticking to single node
- Expose the server through a Service type-LB NLB with private scheme 
- Run a client/curl to reach the LB endpoint from the same node the server was deployed

Scenario 2) Using OCP Default Router
- Create OCP/ROSA HCP private cluster
- Deploy a sample server application sticking to single node
- Expose the server app through a router 
- Run a client/curl to reach the router endpoint from the same node the server was deployed

Actual results:

Scenario 1) connection timeout for single node
Scenario 2) Eventually connection timeouts depending the number of replicas the router have in the cluster

Expected results:

hairpin connection works in the private service type-LoadBalancers

Additional info:

[1] Upstream CCM-AWS Issue: https://github.com/kubernetes/cloud-provider-aws/issues/1160
[2] Upstream e2e tests reproducing the problem: https://github.com/kubernetes/cloud-provider-aws/pull/1161

is related to

OCPBUGS-63219 CIO/AWS - hairpin connection failed when router is NLB with internal scheme

relates to

SPLAT-2324 [Tech Preview] CCM-AWS/Service/NLB: Implement support for hairpining traffic solution on OpenShift private routers

In Progress

SPLAT-2257 [Investigation] AWS/Service/NLB: Explore solution to resolve hairpin connection issue affecting default router service on ROSA HCP

Closed

OCPBUGS-16199 Add warning about internal NLBs Client IP Preservation issue

Closed

Assignee:: Michael McCune

Reporter:: Marco Braga

Need Info From:: None

Contributors:: None

QA Contact:: Zhaohua Sun

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/07/07 5:55 PM

Updated:: 2025/10/16 5:45 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates