[OCP4] Multiple EgressIP subnet — note

scenario deployment — multiple EgressIP

Prerequiresite

• OCP4(4.14) with OVN-kubernetes CNI
• More than one subnet for worker nodes
• The IP address must be in the same subnet as the primary IP

https://docs.openshift.com/container-platform/4.14/networking/openshift_sdn/assigning-egress-ips.html

Based on the dialog above, the Egress IP address must be in the same subnet as the primary IP. This means that if we have multiple subnets for workers, it will work.

Play around

we have 2 subnets for OpenShift 4.14
subnet A –192.168.0.0/22
subnet B –10.0.0.0/24

Now, label node that can host EgressIP using

$ oc label node <NODENAME> k8s.ovn.org/egress-assignable=""

The labeling of m1.asst.rhdemo.localand w1.asst.rhdemo.localis sufficient to test the two subnets for hosting the Egress IP.

Create project for test EgressIP subnet A — 192.168.0.0/22 and subnet B — 10.0.0.0/24

$ oc new-project test-egress-192-168-0-0
$ oc new-project test-egress-10-0-0-0

Deploy simple application

$  oc new-app httpd -n test-egress-10-0-0-0
$  oc new-app httpd -n test-egress-192-168-0-0

Create EgressIP 192.168.3.118 on project test-egress-192-168-0-0

apiVersion: k8s.ovn.org/v1
kind: EgressIP
metadata:
  name: egress-192-168-0-0
spec:
  egressIPs:
  - 192.168.3.118
  namespaceSelector:
    matchExpressions:
    - key: kubernetes.io/metadata.name
      operator: In
      values:
      - test-egress-192-168-0-0

Create EgressIP 10.0.0.118 on project test-egress-10-0-0-0

apiVersion: k8s.ovn.org/v1
kind: EgressIP
metadata:
  name: egress-10-0-0-0
spec:
  egressIPs:
  - 10.0.0.118
  namespaceSelector:
    matchExpressions:
    - key: kubernetes.io/metadata.name
      operator: In
      values:
      - test-egress-10-0-0-0

apply egressIP configuration to the cluster

Testing time~

m1.asst.rhdemo.local -> 192.168.0.112/22
w1.asst.rhdemo.local -> 10.0.0.213/24

infromation

1. Label the egress node only for the 10.0.0.0 subnet (w1.asst.rhdemo.local).

The EgressIP for 192.168.0.0/22cannot find a host to assign the EgressIP, so it will not be assigned to any node. However, for 10.0.0.0/24, there is a worker named w1.asst.rhdemo.localthat uses the same subnet as EgressIP 10.0.0.118, which will host the egressIP on the node.

2. Label the Egress node for all subnet

egressIP will be assigned to the node properly

3. Traffic testing on project test-egress-192-168-0-0

tcpdump at the target server listening on port 8765 for our example

Remotely shell into the application and attempt to connect to the target server using an unused or fake port, such as port 8765. The IP address of the target server is 192.168.3.196.

check the tcpdump at target server

The source IP is the EgressIP configured on the OCP cluster for the test-egress-192–168-0–0 project, which is 192.168.3.118.

4. Traffic testing on project test-egress-10-0-0-0 (test like topic 3)

tcpdump at the target server listening on port 8766 for our example

Remotely shell into the application and attempt to connect to the target server using an unused or fake port, such as port 8766. The IP address of the target server is 10.0.0.20.

The source IP is the EgressIP configured on the OCP cluster for the test-egress-10–0–0–0 project, which is 10.0.0.118.

Ref: https://docs.openshift.com/container-platform/4.14/networking/openshift_sdn/assigning-egress-ips.html