CI: K8sEgressGatewayTest tunnel disabled * both egress gw and basic connectivity work #18012
Labels
area/CI
Continuous Integration testing issue or flake
ci/flake
This is a known failure that occurs in the tree. Please investigate me!
feature/egress-gateway
Impacts the egress IP gateway feature.
kind/bug
This is a bug in the Cilium logic.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
stale
The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Projects
https://gofile.io/d/XwghzF
https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-net-next/2046/testReport/junit/Suite-k8s-1/16/K8sEgressGatewayTest_tunnel_disabled_with_endpointRoutes_enabled_egress_gw_policy_both_egress_gw_and_basic_connectivity_work/
After reading the code, the following was failing (TODO: either fix function call offset or add
By()
, otherwise it's difficult to determine which exactly assertion has failed):cilium/test/k8sT/Egress.go
Line 206 in b12ecd1
Digging into the hubble logs of cilium running on k8s1 we can find the flow which failed:
We can see from the flow log, that the reply from the pod to the outside (SYN+ACK) was sent over the tunnel:
and which was apparently SNAT-ed by the egress gw node (k8s2). From the latter SNAT table dump:
The question is why the CT_REPLY check was bypassed? The CT entry from k8s1 (I couldn't find any other entry which could have used the 38580 port):
The text was updated successfully, but these errors were encountered: