OpenShift 4 - Intermittent 503 from all routes or timeouts when calling to backends directly when `allow-from-openshift-ingress` network policy is applied

Solution Verified - Updated -

Issue

  • Intermittent 503 errors from backend routes when curled from clients to pods in namespaces where allow-from-openshift-ingress is applied.
  • Reviewing the access logs from router-default pods in the Openshift-ingress namespace indicates that the pods are constantly being marked DOWN/unavailable then coming back up.
  • Curling to a target backend directly from a host node indicates that intermittently the packet will time out/drop, resulting in a TCP connection timeout.

Environment

  • Red Hat OpenShift Cluster Platform (RHOCP)
    • 4.12.48+
    • 4.13.30+
    • 4.14.0+
  • NetworkPolicies

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content