1. Proposed title of this feature request

• Select nodes to be added iptables chains/rules when a service object is created.

2. What is the nature and description of the request?

• Creating a service leads adding the chain/rule of iptables for the service to all the OCP nodes.
• How reproducible:

• • Create a service with NodePort(or loadbalancer) type. I tested with both option externaltrafficpolicy=cluster and local. Both options create the NAT chain to all nodes.

    • # oc get svc -n example-nodeport NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE example-ex-nodeport NodePort 172.30.10.42 <none> 8080:30768/TCP 3m41s 

• • The pod using the service is this and it is running on worker03.

  1. • # oc get po -o wide -n example-nodeport
       NAME                                READY   STATUS    RESTARTS   AGE     IP            NODE                        NOMINATED NODE   READINESS GATES
       example-nodeport-6dcdc77f89-d52dh   1/1     Running   0          4m47s   10.131.0.49   worker03.ocp4.example.com   <none>           <none> 

• • The customer expects that a chain of OVN-KUBE-NODEPORT should be only created onto the worker02. However, the chain is created even on a master. (I checked that all nodes in the cluster has the chain)

    • # ssh core@master01 sudo iptables -t nat -L -n -v |grep 'Chain OVN-KUBE-NODEPORT' -A5
      Chain OVN-KUBE-NODEPORT (2 references)
      pkts bytes target     prot opt in     out     source               destination         
       0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL tcp dpt:30768 to:172.30.10.42:8080 

       

3. Why does the customer need this? (List the business requirements here)

• The NodePort/Load balancer NAT chain would be useless for nodes where the pod is not running. As a result, these unnecessary chains could increase overhead during packet handling.

4. List any affected packages or components.

• ovn-kubernetes