Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: openshift-4.19
Component/s: kube-apiserver, Network - Core, Network - IngressDNS
Labels:
- Security

Target Version:
None
Activity Type:
Product / Portfolio Work
Status Summary:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:
None
Hierarchy Progress Bar:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Impact Score:
PX Impact Range:
None
PX Priority Data:
None
PX Technical Impact:
None
PX Technical Impact Notes:
None
PX Scheduling Request:
None

1. Proposed title of this feature request:
Enable EgressIP Functionality via Localnet on Secondary Network Interface with integration of NAD using Applications.

2. What is the nature and description of the request?

They need this feature to be able to route the VLAN tagged or untagged traffic on another bridge without impacting any traffic on br-ex and for security and complete traffic isolation.
For as per our document this feature is not supported for secondary network via localnet option(PFA the link to the doc: https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/multiple_networks/understanding-multiple-networks#support-matrix-for-udn-nad_understanding-multiple-networks)

on node, egressip is mapped to br-ex instead of ncom-oam-eg. so how to assign it to specific interface because gateways for both the interfaces are diff and if it remains on br-ex, traffic leaving the pod, will go via egressip and then to gateway of br-ex and we get no route to host while destination is opened from gateway of egressip subnet
NOTE: IP forwarding is already enabled globally

~~~
apiVersion: v1
kind: Node
metadata:
annotations:
cluster.x-k8s.io/cluster-name: abcgfdr
cluster.x-k8s.io/cluster-namespace: abcgfdr
cluster.x-k8s.io/labels-from-machine: ""
cluster.x-k8s.io/machine: nodepool-abcgfdr
cluster.x-k8s.io/owner-kind: MachineSet
cluster.x-k8s.io/owner-name: nodepool-abcgfdr
csi.volume.kubernetes.io/nodeid: '

{"openshift-storage.cephfs.csi.ceph.com":"worker-002.abcgfdr","openshift-storage.rbd.csi.ceph.com":"worker-002.abcgfdr"}

'
hypershift.openshift.io/labelsSynced: "true"
k8s.ovn.org/bridge-egress-ips: '["10.53.148.50"]'
~~~

~~~
24: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether b4:83:51:21:81:32 brd ff:ff:ff:ff:ff:ff
inet 10.50.100.000/28 brd 10.53.146.239 scope global noprefixroute br-ex
valid_lft forever preferred_lft forever
inet 100.200.0.0/17 brd 169.254.127.255 scope global br-ex
valid_lft forever preferred_lft forever
inet 10.00.100.50/32 scope global br-ex
~~~

we expect it to be here:
~~~
931: ncom-oam-eg@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000
link/ether b4:83:51:21:81:32 brd ff:ff:ff:ff:ff:ff
inet 10.00.100.00/29 brd 10.53.148.55 scope global noprefixroute ncom-oam-eg
valid_lft forever preferred_lft forever
~~~

3. Why does the customer need this? (List the business requirements here)
To segregate VLAN and untagged traffic onto a dedicated bridge for enhanced security, without interfering with the traffic currently handled by br-ex.

4. List any affected packages or components.
kube-apiserver, kube-controller-manager, kubelet, br-ex, custom br1, br-vlan

Assignee:: Ramon Acedo

Reporter:: Divyanshi Srivastava

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/09/07 2:58 AM

Updated:: 2025/09/13 3:02 AM

Target start:: None

Target end:: None

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates