[RHOCP 4] OVN-Kubernetes Egress Firewall blocks process to deploy application as DeploymentConfig
Environment
- Red Hat OpenShift Container Platform(RHOCP)
- 4.x
Issue
After migration from SDN to OVN re-deploy or create a new application using DeploymentConfig
object is not able to finish if there is an EgressFirewall
configured to deny all the external traffic
Resolution
- Modify your
EgressFirewall
object in order to add the following stanza:
spec:
egress:
- to:
nodeSelector:
matchLabels:
node-role.kubernetes.io/master: ""
type: Allow
Root Cause
- If your egress firewall includes a deny rule for 0.0.0.0/0, access to your OpenShift Container Platform API servers is blocked. Is a must either add allow rules for each IP address or use the nodeSelector type allow rule in your egress policy rules to connect to API servers.
DeploymentConfig
objects requires to access the API to create theReplicationController
object.
Diagnostic Steps
- Check the deploy pod when starting a new application or when redeploying an existing one:
$ oc logs httpd-2-deploy -f
error: couldn't get deployment httpd-2: Get "https://172.30.0.1:443/api/v1/namespaces/default/replicationcontrollers/httpd-2": dial tcp 172.30.0.1:443: i/o timeout
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments