Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UDN: Pod2Services L3/L2 isolation is broken on LGW #4687

Closed
tssurya opened this issue Aug 31, 2024 · 0 comments · Fixed by #4705
Closed

UDN: Pod2Services L3/L2 isolation is broken on LGW #4687

tssurya opened this issue Aug 31, 2024 · 0 comments · Fixed by #4705
Assignees
@dceara
Labels
feature/user-defined-network-segmentation All PRs related to User defined network segmentation kind/bug All issues that are bugs and PRs opened to fix bugs

Comments

@tssurya
Copy link
Member

tssurya commented Aug 31, 2024

What happened?

when you try to go from UDN pod to clusterIP service on default network; it seems given the LB doesn't DNAT this; this is sent into mpX into the host and is getting conveyed via br-ex into GR where its DNATed and reply is successful?

What did you expect to happen?

udn pod should not be able to reach clusterIPs on default network

How can we reproduce it (as minimally and precisely as possible)?

LGW kind cluster run the pod2Services e2e for L3

Anything else we need to know?

No response

OVN-Kubernetes version

$ ovnkube --version
# paste output here

Kubernetes version

$ kubectl version
# paste output here

OVN version

$ oc rsh -n ovn-kubernetes ovnkube-node-xxxxx (pick any ovnkube-node pod on your cluster)
$ rpm -q ovn
# paste output here

OVS version

$ oc rsh -n ovn-kubernetes ovs-node-xxxxx (pick any ovs pod on your cluster)
$ rpm -q openvswitch
# paste output here

Platform

Is it baremetal? GCP? AWS? Azure?

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)
@tssurya tssurya added kind/bug All issues that are bugs and PRs opened to fix bugs feature/user-defined-network-segmentation All PRs related to User defined network segmentation labels Aug 31, 2024
@tssurya tssurya self-assigned this Aug 31, 2024
@tssurya tssurya changed the title UDN: Pod2Services L3 isolation is broken on LGW UDN: Pod2Services L3/L2 isolation is broken on LGW Sep 2, 2024
@tssurya tssurya assigned dceara and unassigned tssurya Sep 6, 2024
@dceara dceara mentioned this issue Sep 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dceara dceara

Labels
feature/user-defined-network-segmentation All PRs related to User defined network segmentation kind/bug All issues that are bugs and PRs opened to fix bugs
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

UDN: Ensure pod2service isolation in local gw mode. dceara/ovn-kubernetes
2 participants
@tssurya @dceara