Fix e2e failures seen with OCP OVN-IC deployments #2681
Conversation
When a client pod attempts to establish a connection with a service in the remote cluster, it has been observed that the response traffic is being discarded at the local Gateway node. The return traffic is getting dropped because of some DROP rules in the FORWARDing chain of the filter table (which seems to have been added recently in the OVN OCP deployments). Submariner normally has rules to allow such traffic, but with the new architecture designed to support OVN-IC deployments, we no longer use the ovn-k8s-sub0 iface and simply use the ovn-k8s-mp0 interface. This PR updates the firewall rules accordingly to allow the return traffic on the Gateway node. Signed-off-by: Sridhar Gaddam <sgaddam@redhat.com>
sridhargaddam
requested review from
Oats87,
skitt and
tpantelis
as code owners
|
🤖 Created branch: z_pr2681/sridhargaddam/fix-ovn-ic-dataplane |
sridhargaddam
added
the
backport
This PR includes the remote cluster CIDRs as part of the OVN iptable rules, so that only Submariner traffic is processed by these rules. Signed-off-by: Sridhar Gaddam <sgaddam@redhat.com>
| for _, remoteCIDR := range ovn.getRemoteSubnets().UnsortedList() { | ||
| rules = append(rules, | ||
| []string{ | ||
| "-d", remoteCIDR, "-i", OVNK8sMgmntIntfName, "-o", ovn.cableRoutingInterface.Name, "-j", "ACCEPT", |
There was a problem hiding this comment.
Not deeply familiar with OVN architecture, does using 'remoteCIDR' should work also with GlobalNet ?
There was a problem hiding this comment.
Yes, it will work with Globalnet as well. In Globalnet deployments, remoteCIDR will point to globalCIDR of remote clusters.
There was a problem hiding this comment.
Yep, I know that remoteCIDR point to globalCIDR, wasn't sure if we hit these rules before or after GN natting,
if we hit them before GN natting I guess it should be OK.
Thanks
There was a problem hiding this comment.
Ack. I verified this PR both on Globalnet and non-Globalnet deployments.
|
🤖 Closed branches: [z_pr2681/sridhargaddam/fix-ovn-ic-dataplane] |
When a client pod attempts to establish a connection with a service in the remote cluster, it has been observed that the response traffic is being discarded at the local Gateway node. The return traffic is getting dropped because of some DROP rules in the FORWARDing chain of the filter table (which seems to have been added recently in the OVN OCP deployments).
Submariner normally has rules to allow such traffic, but with the new architecture designed to support OVN-IC deployments, we no longer use the ovn-k8s-sub0 iface and simply use the ovn-k8s-mp0 interface. This PR updates the firewall rules accordingly to allow the return traffic on the Gateway node.