Hairpin traffic blocked when NP is applied in OVN
Bug #1923452 reported by
Michal Dulko
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kuryr-kubernetes |
Fix Released
|
Medium
|
Michal Dulko |
Bug Description
In case of hairpin LB traffic (member of the LB calls the LB and the
request is directed back to the same member) OVN replaces the source-ip
of the request with the LB IP. This means that pods with network
policies applied will have that traffic blocked.
Changed in kuryr-kubernetes: | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Michal Dulko (michal-dulko-f) |
To post a comment you must log in.
Reviewed: https:/ /review. opendev. org/c/openstack /kuryr- kubernetes/ +/786035 /opendev. org/openstack/ kuryr-kubernete s/commit/ e84a6a707ebd4c3 d75a9dce34394d0 65e6499bc9
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit e84a6a707ebd4c3 d75a9dce34394d0 65e6499bc9
Author: Michał Dulko <email address hidden>
Date: Mon Apr 12 14:33:15 2021 +0200
Fix NPs for OVN LBs with hairpin traffic
In case of hairpin LB traffic (member of the LB calls the LB and the
request is directed back to the same member) OVN replaces the source-ip
of the request with the LB IP. This means that pods with network
policies applied may have that traffic blocked when it should be
allowed.
To fix that this commit makes sure that SGs used for NPs include ingress
rules for each of the Service in it's namespace. It's not ideal but
seems to be a fair compromise between opening as little traffic as
possible and increasing number of security groups and rules.
As this commit makes sure all the NPs in the namespaces are reanalyzed
every time a Service is created or deleted, a little fixes in order to
support that are also made.
Change-Id: I7e0458c4071e4a 43ab4d158429e05 c67cd897a3c
Closes-Bug: 1923452