Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5224

OVN Kubernetes to preserve source IP when using external traffic policy Cluster

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • SDN
    • None
    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%

      1. Proposed title of this feature request

      OVN Kubernetes to preserve source IP when using external traffic policy Cluster

      2. What is the nature and description of the request?

      This enhancement request proposes implementing the functionality to preserve the source IP address of a pod when it sends traffic to an external service.

      Currently, OVN Kubernetes with this setting performs Source Network Address Translation (SNAT), which changes the source IP to the node's IP address, potentially causing issues for applications that rely on the original source IP for proper functioning.

      This enhancement request proposes implementing Destination Network Address Translation (DNAT) as an optional configuration within OVN Kubernetes . DNAT allows routing external traffic to the service while still preserving the original source IP address of the pod that initiated the request.

      Certain implementations on Baremetal use MetalLB for load balancing external traffic, however it uses SNAT by default and does not address the source IP address preservation issue. Customer want to preserve the source IP address. 

      3. Why does the customer need this? (List the business requirements here)

      In Case of SNAT,

      Improved Security: Preserving the source IP allows for granular access control policies based on the originating pod's IP address, enhancing security.

      Enhanced Observability and Debugging: Applications relying on the source IP for logging or troubleshooting purposes will function correctly.

      Compliance with Regulations: Certain industries or regulations might require the source IP to be preserved for audit purposes.

      In case of DNAT,
      Maintain existing security policies and access control rules that rely on the source IP for identification.

      Enhance observability and debugging by ensuring logs and traces accurately reflect the originating pod.

      Adhere to specific industry regulations or compliance requirements that mandate source IP preservation.

      4. List any affected packages or components.

      OVN-Kubernetes CNI Plugin: 

      CNI plugin might require modifications to support SNAT/DNAT configuration options for external services.

      Kube-proxy: This component might need modifications to pass the source IP information through to the external service endpoint.

      Kernel SNAT/DNAT rules: Creation and management of DNAT rules on the Kubernetes worker nodes might be required.

            mcurry@redhat.com Marc Curry
            mohskhan@redhat.com Mohsin Khan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: