Hairpin traffic blocked when NP is applied in OVN

Bug #1923452 reported by Michal Dulko on 2021-04-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kuryr-kubernetes
Medium
Michal Dulko

Bug Description

In case of hairpin LB traffic (member of the LB calls the LB and the
request is directed back to the same member) OVN replaces the source-ip
of the request with the LB IP. This means that pods with network
policies applied will have that traffic blocked.

Changed in kuryr-kubernetes:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Michal Dulko (michal-dulko-f)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kuryr-kubernetes (master)

Reviewed: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/786035
Committed: https://opendev.org/openstack/kuryr-kubernetes/commit/e84a6a707ebd4c3d75a9dce34394d065e6499bc9
Submitter: "Zuul (22348)"
Branch: master

commit e84a6a707ebd4c3d75a9dce34394d065e6499bc9
Author: Michał Dulko <email address hidden>
Date: Mon Apr 12 14:33:15 2021 +0200

    Fix NPs for OVN LBs with hairpin traffic

    In case of hairpin LB traffic (member of the LB calls the LB and the
    request is directed back to the same member) OVN replaces the source-ip
    of the request with the LB IP. This means that pods with network
    policies applied may have that traffic blocked when it should be
    allowed.

    To fix that this commit makes sure that SGs used for NPs include ingress
    rules for each of the Service in it's namespace. It's not ideal but
    seems to be a fair compromise between opening as little traffic as
    possible and increasing number of security groups and rules.

    As this commit makes sure all the NPs in the namespaces are reanalyzed
    every time a Service is created or deleted, a little fixes in order to
    support that are also made.

    Change-Id: I7e0458c4071e4a43ab4d158429e05c67cd897a3c
    Closes-Bug: 1923452

Changed in kuryr-kubernetes:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kuryr-kubernetes (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/789871

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kuryr-kubernetes (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/789871
Committed: https://opendev.org/openstack/kuryr-kubernetes/commit/643effc3403bf80581588ea67136240eb36a54db
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 643effc3403bf80581588ea67136240eb36a54db
Author: Michał Dulko <email address hidden>
Date: Mon Apr 12 14:33:15 2021 +0200

    Fix NPs for OVN LBs with hairpin traffic

    In case of hairpin LB traffic (member of the LB calls the LB and the
    request is directed back to the same member) OVN replaces the source-ip
    of the request with the LB IP. This means that pods with network
    policies applied may have that traffic blocked when it should be
    allowed.

    To fix that this commit makes sure that SGs used for NPs include ingress
    rules for each of the Service in it's namespace. It's not ideal but
    seems to be a fair compromise between opening as little traffic as
    possible and increasing number of security groups and rules.

    As this commit makes sure all the NPs in the namespaces are reanalyzed
    every time a Service is created or deleted, a little fixes in order to
    support that are also made.

    Change-Id: I7e0458c4071e4a43ab4d158429e05c67cd897a3c
    Closes-Bug: 1923452
    (cherry picked from commit e84a6a707ebd4c3d75a9dce34394d065e6499bc9)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kuryr-kubernetes (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/790574

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kuryr-kubernetes (stable/victoria)

Change abandoned by "Michał Dulko <email address hidden>" on branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/790574

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers