-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.12
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
ShiftStack Sprint 233, ShiftStack Sprint 234, ShiftStack Sprint 235, ShiftStack Sprint 236, ShiftStack Sprint 237, ShiftStack Sprint 238
-
6
-
?
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
After creating a regular LB type svc, the LB and FIPS are created in Openstack, but then changing the svc to use internal LB, by adding: [...] metadata: name: lb-test-svc annotations: service.beta.kubernetes.io/openstack-internal-load-balancer: "true" [...] to the service definition, the external-IP is updated with the LB IP in the cluster network, but the FIP is not being removed and the svc still works via FIP.
Version-Release number of selected component (if applicable):
4.12.0-0.nightly-2022-08-30-054458
How reproducible:
Always
Steps to Reproduce (lb-test-manifests.yaml
):
1. Create a LB type svc
$ oc create -f lb-test-manifests.yaml
project.project.openshift.io/lb-test-ns created
deployment.apps/lb-test-dep created
service/lb-test-svc created
2. Check svc, LB and FIP creation
$ oc -n lb-test-ns get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
lb-test-svc LoadBalancer 172.30.36.198 10.46.22.244 80:31302/TCP 87s
$ oc -n lb-test-ns describe svc lb-test-svc
Name: lb-test-svc
Namespace: lb-test-ns
Labels: app=lb-test-dep
Annotations: loadbalancer.openstack.org/load-balancer-id: d102c702-f945-4798-8671-371896acddf6
Selector: app=lb-test-dep
Type: LoadBalancer
IP Family Policy: SingleStack
IP Families: IPv4
IP: 172.30.36.198
IPs: 172.30.36.198
LoadBalancer Ingress: 10.46.22.244
Port: <unset> 80/TCP
TargetPort: 8080/TCP
NodePort: <unset> 31302/TCP
Endpoints: 10.128.2.31:8080,10.131.1.162:8080
Session Affinity: None
External Traffic Policy: Cluster
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning SyncLoadBalancerFailed 4m29s service-controller Error syncing load balancer: failed to ensure load balancer: load balancer d102c702-f945-4798-8671-371896acddf6 is not ACTIVE, current provisioning status: PENDING_CREATE
Normal EnsuringLoadBalancer 4m24s (x2 over 5m44s) service-controller Ensuring load balancer
Normal EnsuredLoadBalancer 4m21s service-controller Ensured load balancer
$ openstack loadbalancer list
+--------------------------------------+------------------------------------------------+----------------------------------+-------------+---------------------+----------+
| id | name | project_id | vip_address | provisioning_status | provider |
+--------------------------------------+------------------------------------------------+----------------------------------+-------------+---------------------+----------+
| d102c702-f945-4798-8671-371896acddf6 | kube_service_kubernetes_lb-test-ns_lb-test-svc | 6577a3fc75e24fc786470375af854ab5 | 10.196.3.23 | ACTIVE | amphora |
+--------------------------------------+------------------------------------------------+----------------------------------+-------------+---------------------+----------+
$ openstack floating ip list | grep 10.46.22.244
| 18cab211-cfac-45d8-a9f4-fa5701c8bb9e | 10.46.22.244 | 10.196.3.23 | c9eb71f2-ea57-4cd9-b394-927491eb749d |
3. Switch the svc to use internal LB, by adding:
metadata:
name: lb-test-svc
annotations:
service.beta.kubernetes.io/openstack-internal-load-balancer: "true"
[...]
in the svc definition:
$ oc -n lb-test-ns edit svc lb-test-svc
service/lb-test-svc edited
4. Check the svc LoadBalancer Ingress (External IP) has been updated with the LB IP in the cluster network:
$ oc -n lb-test-ns describe svc
Name: lb-test-svc
Namespace: lb-test-ns
Labels: app=lb-test-dep
Annotations: loadbalancer.openstack.org/load-balancer-id: d102c702-f945-4798-8671-371896acddf6
service.beta.kubernetes.io/openstack-internal-load-balancer: true
Selector: app=lb-test-dep
Type: LoadBalancer
IP Family Policy: SingleStack
IP Families: IPv4
IP: 172.30.36.198
IPs: 172.30.36.198
LoadBalancer Ingress: 10.196.3.23
Port: <unset> 80/TCP
TargetPort: 8080/TCP
NodePort: <unset> 31302/TCP
Endpoints: 10.128.2.31:8080,10.131.1.162:8080
Session Affinity: None
External Traffic Policy: Cluster
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning SyncLoadBalancerFailed 5m40s service-controller Error syncing load balancer: failed to ensure load balancer: load balancer d102c702-f945-4798-8671-371896acddf6 is not ACTIVE, current provisioning status: PENDING_CREATE
Normal EnsuringLoadBalancer 15s (x3 over 6m55s) service-controller Ensuring load balancer
Normal EnsuredLoadBalancer 15s (x2 over 5m32s) service-controller Ensured load balancer
$ oc -n lb-test-ns get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
lb-test-svc LoadBalancer 172.30.36.198 10.196.3.23 80:31302/TCP 7m17s
5. Check the FIP has been removed and that the svc connectivity doesn't work via FIP
Actual results:
The FIP is not removed when switching to internal LB type svc: $ openstack floating ip list | grep 10.46.22.244 | 18cab211-cfac-45d8-a9f4-fa5701c8bb9e | 10.46.22.244 | 10.196.3.23 | c9eb71f2-ea57-4cd9-b394-927491eb749d The connectivity to the service via FIP still works: $ curl 10.46.22.244 lb-test-dep-6c58d95cf8-gbvz2: HELLO! I AM ALIVE!!! $ curl 10.46.22.244 lb-test-dep-6c58d95cf8-zvz5g: HELLO! I AM ALIVE!!!
Expected results:
FIP removal and no connectivity through it.
Additional info:
Internal LB type svc k8s doc: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
