Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-59250

[UDN] traffic from pod to kapi was blocked

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • Yes
    • None
    • None
    • Proposed
    • CORENET Sprint 273
    • 1
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      Create UDN and pod with udn network, send traffic from pod to kapi, like "curl -k https://kubernetes.default:443/healthz", a output "OK" is expected, but it shows "curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to kubernetes.default:443 ".

Meanwhile, try the same on pod with default network, it responses correctly.

Tcpdump on vnet of udn port from node, got results as below.

sh-5.1# tcpdump -i 1992e51b9f100_3 -n -v
dropped privs to tcpdump
tcpdump: listening on 1992e51b9f100_3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:09:55.555948 IP (tos 0x0, ttl 64, id 23815, offset 0, flags [DF], proto UDP (17), length 204)
    10.150.0.4.45738 > 172.30.0.10.domain: 39005+ A? kubernetes.default.e2e-test-udn-networking-udn-vbtlg.svc.cluster.local. (176)
14:09:55.560591 IP (tos 0x0, ttl 59, id 45561, offset 0, flags [DF], proto UDP (17), length 209)
    172.30.0.10.domain > 10.150.0.4.45738: 39210 NXDomain*- 0/1/0 (181)
14:09:55.560611 IP (tos 0x0, ttl 59, id 45562, offset 0, flags [DF], proto UDP (17), length 209)
    172.30.0.10.domain > 10.150.0.4.45738: 39005 NXDomain*- 0/1/0 (181)
14:09:55.560759 IP (tos 0x0, ttl 64, id 23817, offset 0, flags [DF], proto UDP (17), length 136)
    10.150.0.4.34886 > 172.30.0.10.domain: 57545+ A? kubernetes.default.svc.cluster.local. (108)
14:09:55.564375 IP (tos 0x0, ttl 59, id 11849, offset 0, flags [DF], proto UDP (17), length 175)
    172.30.0.10.domain > 10.150.0.4.34886: 57803*- 0/1/0 (147)
14:09:55.564392 IP (tos 0x0, ttl 59, id 11850, offset 0, flags [DF], proto UDP (17), length 134)
    172.30.0.10.domain > 10.150.0.4.34886: 57545*- 1/0/0 kubernetes.default.svc.cluster.local. A 172.30.0.1 (106)
14:09:55.564534 IP (tos 0x0, ttl 64, id 13180, offset 0, flags [DF], proto TCP (6), length 60)
    10.150.0.4.55908 > 172.30.0.1.https: Flags [S], cksum 0xb6e7 (incorrect -> 0xffc5), seq 4268849688, win 65280, options [mss 1360,sackOK,TS val 2594218905 ecr 0,nop,wscale 7], length 0
14:09:55.566778 IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    172.30.0.1.https > 10.150.0.4.55908: Flags [S.], cksum 0x539b (correct), seq 2639264327, ack 4268849689, win 64768, options [mss 1420,sackOK,TS val 3291042332 ecr 2594218905,nop,wscale 7], length 0
14:09:55.566806 IP (tos 0x0, ttl 64, id 13181, offset 0, flags [DF], proto TCP (6), length 52)
    10.150.0.4.55908 > 172.30.0.1.https: Flags [.], cksum 0xb6df (incorrect -> 0x7d40), ack 1, win 510, options [nop,nop,TS val 2594218907 ecr 3291042332], length 0
14:09:55.574781 IP (tos 0x0, ttl 64, id 13182, offset 0, flags [DF], proto TCP (6), length 569)
    10.150.0.4.55908 > 172.30.0.1.https: Flags [P.], cksum 0xb8e4 (incorrect -> 0xabd2), seq 1:518, ack 1, win 510, options [nop,nop,TS val 2594218915 ecr 3291042332], length 517
14:09:55.575789 IP (tos 0x0, ttl 61, id 12806, offset 0, flags [DF], proto TCP (6), length 52)
    172.30.0.1.https > 10.150.0.4.55908: Flags [.], cksum 0x7b31 (correct), ack 518, win 502, options [nop,nop,TS val 3291042342 ecr 2594218915], length 0
14:09:55.575931 IP (tos 0x0, ttl 61, id 12807, offset 0, flags [DF], proto TCP (6), length 145)
    172.30.0.1.https > 10.150.0.4.55908: Flags [P.], cksum 0xc930 (correct), seq 1:94, ack 518, win 502, options [nop,nop,TS val 3291042342 ecr 2594218915], length 93
14:09:55.575943 IP (tos 0x0, ttl 64, id 13183, offset 0, flags [DF], proto TCP (6), length 52)
    10.150.0.4.55908 > 172.30.0.1.https: Flags [.], cksum 0xb6df (incorrect -> 0x7acb), ack 94, win 510, options [nop,nop,TS val 2594218916 ecr 3291042342], length 0
14:09:55.576147 IP (tos 0x0, ttl 64, id 13184, offset 0, flags [DF], proto TCP (6), length 575)
    10.150.0.4.55908 > 172.30.0.1.https: Flags [P.], cksum 0xb8ea (incorrect -> 0xbef7), seq 518:1041, ack 94, win 510, options [nop,nop,TS val 2594218916 ecr 3291042342], length 523
14:09:55.576588 IP (tos 0x0, ttl 61, id 12808, offset 0, flags [DF], proto TCP (6), length 58)
    172.30.0.1.https > 10.150.0.4.55908: Flags [P.], cksum 0x62c1 (correct), seq 94:100, ack 518, win 502, options [nop,nop,TS val 3291042343 ecr 2594218915], length 6
14:09:55.589615 IP (tos 0x0, ttl 61, id 12812, offset 0, flags [DF], proto TCP (6), length 406)
    172.30.0.1.https > 10.150.0.4.55908: Flags [P.], cksum 0x7874 (correct), seq 2796:3150, ack 1041, win 501, options [nop,nop,TS val 3291042356 ecr 2594218916], length 354
14:09:55.589637 IP (tos 0x0, ttl 64, id 13185, offset 0, flags [DF], proto TCP (6), length 64)
    10.150.0.4.55908 > 172.30.0.1.https: Flags [.], cksum 0xb6eb (incorrect -> 0xfc2a), ack 100, win 510, options [nop,nop,TS val 2594218930 ecr 3291042343,nop,nop,sack 1 {2796:3150}], length 0
14:10:00.609239 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.150.0.1 tell 10.150.0.4, length 28
14:10:00.609741 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.150.0.1 is-at 0a:58:0a:96:00:01, length 28
14:10:27.569268 IP (tos 0x0, ttl 61, id 12821, offset 0, flags [DF], proto TCP (6), length 52)
    172.30.0.1.https > 10.150.0.4.55908: Flags [F.], cksum 0xefd0 (correct), seq 3150, ack 1041, win 501, options [nop,nop,TS val 3291074335 ecr 2594218930], length 0
14:10:27.569296 IP (tos 0x0, ttl 64, id 13186, offset 0, flags [DF], proto TCP (6), length 64)
    10.150.0.4.55908 > 172.30.0.1.https: Flags [.], cksum 0xb6eb (incorrect -> 0x7f3d), ack 100, win 510, options [nop,nop,TS val 2594250910 ecr 3291042343,nop,nop,sack 1 {2796:3151}], length 0
14:10:32.865231 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.150.0.1 tell 10.150.0.4, length 28
14:10:32.865791 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.150.0.1 is-at 0a:58:0a:96:00:01, length 28
14:11:27.649354 IP (tos 0x0, ttl 64, id 13187, offset 0, flags [DF], proto TCP (6), length 64)
    10.150.0.4.55908 > 172.30.0.1.https: Flags [.], cksum 0xb6eb (incorrect -> 0x948d), ack 100, win 510, options [nop,nop,TS val 2594310990 ecr 3291042343,nop,nop,sack 1 {2796:3151}], length 0
14:11:27.652414 IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    172.30.0.1.https > 10.150.0.4.55908: Flags [R], cksum 0x850c (correct), seq 2639264427, win 0, length 0
14:11:32.769236 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.150.0.1 tell 10.150.0.4, length 28
14:11:32.769799 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.150.0.1 is-at 0a:58:0a:96:00:01, length 28

       

      Version-Release number of selected component (if applicable):

      4.20

      How reproducible:

      always

      Steps to Reproduce:

      1. create udn and ns

      2. create pod with udn network

      3. send traffic from pod: curl -k https://kubernetes.default:443/healthz

      Actual results:

      connection to kapi failed

      Expected results:

      it should connect to kapi and return 'OK'

      Additional info:

      Please fill in the following template while reporting a bug and provide as much relevant information as possible. Doing so will give us the best chance to find a prompt resolution.

      Affected Platforms:

       

      version: 
4.20.0-0.nightly-2025-07-07-234740
Platform I tried: gcp

       

       

              pdiak@redhat.com Patryk Diak
              rhn-support-yingwang Ying Wang
              None
              None
              Ying Wang Ying Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: