Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.20
Component/s: Networking / ovn-kubernetes
Labels:
- cnv-netsdn-wg

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
Rejected
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

At openshift cluster in local gateway mode and creating a layer2 primary UDN pod exposing it with a service using NodePort accessing the service traffic is answer by the pod but the answer is not received by the external client connecting to the NodePort

Version-Release number of selected component (if applicable): 4.20

How reproducible: Always

Steps to Reproduce:

Create the following resources

apiVersion: v1
kind: Namespace
metadata:
  name: my-l2-network
  labels:
    k8s.ovn.org/primary-user-defined-network: ""
---
apiVersion: k8s.ovn.org/v1
kind: UserDefinedNetwork
metadata:
  name: my-l2-udn
  namespace: my-l2-network
spec:
  topology: Layer2
  layer2:
    role: Primary
    subnets:
      - "10.10.10.0/24"
---
apiVersion: v1
kind: Pod
metadata:
  name: iperf3-pod
  namespace: my-l2-network
  labels:
    app: iperf3
spec:
  containers:
  - name: iperf3
    image: networkstatic/iperf3
    args:
    - "-s"
    ports:
    - containerPort: 5201
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      runAsNonRoot: true
      seccompProfile:
        type: "RuntimeDefault"
---
apiVersion: v1
kind: Service
metadata:
  name: iperf3-service
  namespace: my-l2-network
spec:
  type: NodePort
  selector:
    app: iperf3
  ports:
    - protocol: TCP
      port: 5201
      targetPort: 5201

2. Access the nodeport services calling

iperf3 -c [node ip] -p [svc nodeport]

Actual results:

Iperf3 do not receive traffic

Expected results:

Iperf3 receive traffic

Additional info:

Inspecting traffic at node with tcpdump we see that when accessing the nodeport from a node not running the pod ingress traffic goes as expected over geneve tunnel and reaches the pod at the other node but the outbound traffic instead of going back over the genve tunnel is send directly to br-ex.

So looks like local host rouing is missing sending it again back to the management port so the traffic is send using the join ip

Please fill in the following template while reporting a bug and provide as much relevant information as possible. Doing so will give us the best chance to find a prompt resolution.

Affected Platforms:

Is it an

internal CI failure

https://github.com/ovn-kubernetes/ovn-kubernetes/actions/runs/16411626687/job/46369719468?pr=5403

Assignee:: Patryk Diak

Reporter:: Felix Enrique Llorente Pastora

Need Info From:: None

Contributors:: None

QA Contact:: Anurag Saxena

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/07/22 2:03 PM

Updated:: 2025/07/29 10:31 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide