RHOCP 4 API Server Unreachable After Applying NodeNetworkConfigurationPolicy Due to Packet Fragmentation

Solution Unverified - Updated -

Issue

  • After applying a NodeNetworkConfigurationPolicy the OpenShift cluster becomes unstable or unreachable.

  • Cluster is unstable and kube-apiserver containers are reporting the following error:

    2024-05-21T14:52:47.681590135 E0521 14:52:47.681493      18 controller.go:116] loading OpenAPI spec for "v1.user.openshift.io" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: error trying to reach service: net/http: TLS handshake timeout

    2024-05-21T14:44:19.426818409 E0521 14:44:19.426729      18 webhook.go:154] Failed to make webhook authenticator request: Post "https://<service IP>:443/apis/oauth.openshift.io/v1/tokenreviews?timeout=30s": net/http: TLS handshake 
timeout

    2024-05-21T14:44:19.426974401 E0521 14:44:19.426799      18 authentication.go:73] "Unable to authenticate the request" err="[invalid bearer token, Post \"https://<service IP>:443/apis/oauth.openshift.io/v1/tokenreviews?timeout=30s\
": net/http: TLS handshake timeout]"

  • When testing TLS connectivity between control plane components "Client Hello" is sent but no "Server Hello" is returning back.

Environment

  • Red Hat OpenShift Container Platform (RHOCP) 4
  • networkType: OVNKubernetes

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content