-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
4.12
-
None
-
No
-
SDN Sprint 232, SDN Sprint 233, SDN Sprint 234
-
3
-
Rejected
-
False
-
Description of problem:
[MetalLB] Couldn't access external LB IP address when configuring egressIP to the application project, this happens when externalTrafficPolicy value is Local.
Version-Release number of selected component (if applicable):
4.12
How reproducible:
Always
Steps to Reproduce:
1. Install MetalLB operator
2. Create MetalLB CR and AddressPool
- cat << EOF | oc apply -f -
apiVersion: metallb.io/v1beta1
kind: MetalLB
metadata:
name: metallb
namespace: metallb-system
EOF
- cat addresspool.yaml
apiVersion: metallb.io/v1alpha1
kind: AddressPool
metadata:
namespace: metallb-system
name: doc-example
spec:
protocol: layer2
addresses:
- 192.168.1.10-192.168.1.20
3. Run an application in the same project with MetalLB
- oc new-app --name nginx --docker-image quay.io/redhattraining/hello-world-nginx:v1.0
4. Create a service to assign an external IP address
- cat nginx-svc.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
metallb.universe.tf/address-pool: doc-example
labels:
app: nginx
name: nginx-lbtest
# namespace: httpd
spec:
externalTrafficPolicy: Local
ports:
- name: 8080-tcp
port: 8080
protocol: TCP
targetPort: 8080
selector:
deployment: nginx
type: LoadBalancer
- oc get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
metallb-controller-monitor-service ClusterIP None <none> 29150/TCP 165m
metallb-operator-controller-manager-service ClusterIP 172.30.57.242 <none> 443/TCP 115m
metallb-speaker-monitor-service ClusterIP None <none> 29150/TCP,29151/TCP 165m
nginx-lbtest LoadBalancer 172.30.144.178 192.168.1.10 8080:31168/TCP 4s
webhook-service ClusterIP 172.30.193.214 <none> 443/TCP 174m
5. Assign egressIP to the same project
- cat egressip.yaml
apiVersion: k8s.ovn.org/v1
kind: EgressIP
metadata:
name: egress-metallb
spec:
egressIPs:
- 192.168.1.100
namespaceSelector:
matchLabels:
env: qa
- oc label node worker-2.ocp4.example.com k8s.ovn.org/egress-assignable=""
- oc label ns metallb-system env=qa
Actual results:
- curl -k 192.168.1.10:8080
curl: (7) Failed to connect to 192.168.1.10 port 8080: Connection refused
Expected results:
- curl -k 192.168.1.10:8080
<html>
<body>
<h1>Hello, world from nginx!</h1>
</body>
</html>
Additional info:
From the tcpdump we can see, after adding an egressIP to the project, when accessing app with external IP, the SYN+ACK sent from pod IP instead of external IP address:
- Before assigning an egressIP ( 192.168.1.10 is external IP address )
7451 2.116895 192.168.1.201 → 192.168.1.10 TCP 74 55672 → 8080 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1136616607 TSecr=0 WS=128
7474 2.122191 192.168.1.10 → 192.168.1.201 TCP 74 8080 → 55672 [SYN, ACK] Seq=0 Ack=1 Win=26960 Len=0 MSS=1360 SACK_PERM=1 TSval=1039618355 TSecr=1136616607 WS=128
7475 2.122240 192.168.1.201 → 192.168.1.10 TCP 66 55672 → 8080 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1136616613 TSecr=1039618355
- After assigning an egressIP ( 10.131.0.7 is pod's IP address )
15526 4.144115 192.168.1.201 → 192.168.1.10 TCP 74 52712 → 8080 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1136319027 TSecr=0 WS=128
15532 4.147250 10.131.0.7 → 192.168.1.201 TCP 132 8080 → 52712 [SYN, ACK] Seq=0 Ack=1 Win=26960 Len=0 MSS=1360 SACK_PERM=1 TSval=1039320774 TSecr=1136319027 WS=128
15533 4.147682 10.131.0.7 → 192.168.1.201 TCP 74 [TCP Out-Of-Order] 8080 → 52712 [SYN, ACK] Seq=0 Ack=1 Win=26960 Len=0 MSS=1360 SACK_PERM=1 TSval=1039320774 TSecr=1136319027 WS=128
15535 4.147730 192.168.1.201 → 10.131.0.7 TCP 54 52712 → 8080 [RST] Seq=1 Win=0 Len=0