kuryr-kubernetes

  1. Bug #1923452
  2. Comment #1

Comment 1 for bug 1923452

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kuryr-kubernetes (master)

Reviewed: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/786035
Committed: https://opendev.org/openstack/kuryr-kubernetes/commit/e84a6a707ebd4c3d75a9dce34394d065e6499bc9
Submitter: "Zuul (22348)"
Branch: master

commit e84a6a707ebd4c3d75a9dce34394d065e6499bc9
Author: Michał Dulko <email address hidden>
Date: Mon Apr 12 14:33:15 2021 +0200

    Fix NPs for OVN LBs with hairpin traffic

    In case of hairpin LB traffic (member of the LB calls the LB and the
    request is directed back to the same member) OVN replaces the source-ip
    of the request with the LB IP. This means that pods with network
    policies applied may have that traffic blocked when it should be
    allowed.

    To fix that this commit makes sure that SGs used for NPs include ingress
    rules for each of the Service in it's namespace. It's not ideal but
    seems to be a fair compromise between opening as little traffic as
    possible and increasing number of security groups and rules.

    As this commit makes sure all the NPs in the namespaces are reanalyzed
    every time a Service is created or deleted, a little fixes in order to
    support that are also made.

    Change-Id: I7e0458c4071e4a43ab4d158429e05c67cd897a3c
    Closes-Bug: 1923452