Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-8984

ROKS: calico SDN results in a request timeout when accessing services with no endpoints

    XMLWordPrintable

Details

    • Moderate
    • Unspecified
    • If docs needed, set a value

    Description

      +++ This bug was initially created as a clone of Bug #1825021 +++

      Description of problem:
      A service with no endpoints in a ROKS cluster, when accessed, should return a 'REFUSED' response. It instead times out.

      How reproducible:
      Always

      Steps to Reproduce:
      1. Create a service with no matching endpoints
      2. Curl the service endpoint from a pod

      Actual results:
      The request times out

      Expected results:
      The request results in a REJECTED response

      Additional info:
      Currently failing https://github.com/openshift/origin/blob/4d0922fb92f85f566cb22bbaaedf587e8a50aca4/vendor/k8s.io/kubernetes/test/e2e/network/service.go#L2582

      — Additional comment from Brad on 2021-09-22 19:35:51 UTC —

      I believe this is fixed in Calico 3.16, see https://docs.projectcalico.org/archive/v3.16/release-notes/
      “Connections to services without endpoints are now properly rejected in iptables dataplane mode. The fix required moving the iptables ACCEPT rule to the end of the filter FORWARD chain; if you have your own rules in that chain then please check that they do not drop or reject pod traffic before it reaches the ACCEPT rule https://github.com/projectcalico/felix/pull/2424 (@caseydavenport)”

      Attachments

        Activity

          People

            cewong@redhat.com Cesar Wong
            joseph-goergen-2 Joseph Goergen
            Red Hat Employee
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: