Description of problem:

When a cluster hosting HCP control planes pods has an ingress VIP (VRRP) failover all egressip node health checks fail for any HCP nodes using egressIPs. The VIP failover causes the konnectivity-proxy > konectivity-agent proxy and thus the SOCKS5 proxy in the OVN-Kubernetes control-plane pod to stop working briefly. During this time, the egress IP healthcheck probes timed out, resulting in all nodes being marked as unhealthy and thus all egressIPs are unassigned.

This causes a full conectivity outage if the customer is using egressIPs for network ACLs.

Customer increased reachabilityTotalTimeoutSeconds to 3 seconds, however the issue still occurs from time to time.

Version-Release number of selected component (if applicable):

OCP (HCP) 4.18 with a VRRP ingress on hosting cluster.

How reproducible:

• Deploy HCP Cluster + setup egressIPs on HCP cluster nodes.
• Cause VRRP failover of the ingress VIP on hosting cluster.

Actual results:

All egressip healthchecks fail.

Expected results:

No healthcheck failures during regular operations.

eventual consistency/recovery of the egress assignments.

Additional info:

Please fill in the following template while reporting a bug and provide as much relevant information as possible. Doing so will give us the best chance to find a prompt resolution.

Affected Platforms:

Is it an: customer issue / SD

I will include some log snips in a private comment.

If it is a customer / SD issue:

• Provide enough information in the bug description that Engineering doesn’t need to read the entire case history.
• Don’t presume that Engineering has access to Salesforce.
• Do presume that Engineering will access attachments through supportshell.
• Describe what each relevant attachment is intended to demonstrate (failed pods, log errors, OVS issues, etc).
• Referring to the attached must-gather, sosreport or other attachment, please provide the following details:
  • If the issue is in a customer namespace then provide a namespace inspect.
  • If it is a connectivity issue:
    • What is the srcNode, srcNamespace, srcPodName and srcPodIP?
    • What is the dstNode, dstNamespace, dstPodName and dstPodIP?
    • What is the traffic path? (examples: pod2pod? pod2external?, pod2svc? pod2Node? etc)
    • Please provide the UTC timestamp networking outage window from must-gather
    • Please provide tcpdump pcaps taken during the outage filtered based on the above provided src/dst IPs
  • If it is not a connectivity issue:
    • Describe the steps taken so far to analyze the logs from networking components (cluster-network-operator, OVNK, SDN, openvswitch, ovs-configure etc) and the actual component where the issue was seen based on the attached must-gather. Please attach snippets of relevant logs around the window when problem has happened if any.

• When showing the results from commands, include the entire command in the output.  
• For OCPBUGS in which the issue has been identified, label with “sbr-triaged”
• For OCPBUGS in which the issue has not been identified and needs Engineering help for root cause, label with “sbr-untriaged”
• Do not set the priority, that is owned by Engineering and will be set when the bug is evaluated
• Note: bugs that do not meet these minimum standards will be closed with label “SDN-Jira-template”
• For guidance on using this template please see
  OCPBUGS Template Training for Networking  components