From 5616d3fb8ce19ed274bbaabec29c9835691dca37 Mon Sep 17 00:00:00 2001 From: Zenghui Shi Date: Tue, 14 Feb 2023 17:12:35 +0800 Subject: [PATCH] Remove firewall known issue in the doc `firewall --reload` won't flush iptable rules after the fix: https://github.com/openshift/microshift/pull/1300 Signed-off-by: Zenghui Shi --- docs/network/default_cni_plugin.md | 6 ------ docs/network/host_networking.md | 2 -- 2 files changed, 8 deletions(-) diff --git a/docs/network/default_cni_plugin.md b/docs/network/default_cni_plugin.md index 363c2d955b..d501acffc7 100644 --- a/docs/network/default_cni_plugin.md +++ b/docs/network/default_cni_plugin.md @@ -149,9 +149,3 @@ The specified interface will be added in OVS bridge `br-ex` which acts as gatewa microshift-ovs-init.service is able to setup one additional host interface for cluster ingress/egress traffic. This is done by specifying the `externalGatewayInterface` in the CNI config file `/etc/microshift/ovn.yaml`. The external gateway interface will be added in a second OVS bridge `br-ex1`. Cluster pod traffic destinated to additional host subnet will be routed through `br-ex1`. - -## Known Issues - -* Firewall reload flushes iptable rules - -ovn-kubernetes makes use of iptable rules for some traffic flows (such as nodePort service), these iptable rules are generated and inserted by ovn-kubernetes (ovnkube-master container), but can be removed by reloading firewall rules, which in turn breaks the traffic flows. To avoid such situation, make sure to execute firewall commands before starting ovn-kubernetes pods. If firewall commands have to be executed after ovn-kubernetes pods have started, manually restart the ovnkube-master pod to trigger the reinsertion of ovn-kubernetes iptable rules. See section [NodePort Service](#external-to-nodeportservice) for details on the iptable rules. diff --git a/docs/network/host_networking.md b/docs/network/host_networking.md index 89e7b1badd..96e0e0c93b 100644 --- a/docs/network/host_networking.md +++ b/docs/network/host_networking.md @@ -338,8 +338,6 @@ sudo firewall-cmd --permanent --zone=trusted --add-source=169.254.169.1 sudo firewall-cmd --reload ``` -**Known issue:** ovn-kubernetes makes use of iptable rules for some traffic flows (such as nodePort service), these iptable rules are generated and insertd by ovn-kubernetes ovnkube-master container, but can be removed by reloading firewall rules, which in turn break the traffic flows. To avoid such situation, make sure to execute firewall commands before starting ovn-kubernetes pods. If firewall commands have to be executed after ovn-kubernetes pods have started, manually restart the ovnkube-master pod to trigger reinsertion of ovn-kubernetes iptable rules. - ## IP Forward Host network `sysctl net.ipv4.ip_forward` is automatically enabled by ovn-kubernetes ovnkube-master container when it starts. This is needed to forward incoming traffic to ovn network. For example, node port service from outside of cluster fails if `ip_forward` is disabled.