don't forward GCP health checkers traffic

The way that Openshift configures the VIPs differs from GCP, and instead uses DNAT with conntrack. The GCP health checkers poll the VMs with LB backends to know its status. This traffic is wrongly DNATed sometimes, and it create stale entries in conntrack that cause network interruptions. The healthcheck traffic can never be forwarded inside the VM, so we just drop it, allowing only it when is directed to the host. Signed-off-by: Antonio Ojea <aojea@redhat.com>
openshift · Apr 14, 2021 · eb43d46 · eb43d46
1 parent 116603f
commit eb43d46
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/templates/master/00-master/gcp/files/opt-libexec-openshift-gcp-routes-sh.yaml b/templates/master/00-master/gcp/files/opt-libexec-openshift-gcp-routes-sh.yaml
@@ -64,6 +64,21 @@ contents:
         # balanced, even if the DNAT entry is removed
         ensure_rule filter INPUT -m comment --comment 'gcp LB vip existing' -m addrtype ! --dst-type LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
 
+        # bz1925698: GCP LBs can create stale entries causing apiservers disruption
+        # The GCP LB Health Check polls continuously the LB VIP assigned to the VM
+        # but, if the LB VIP is down, we are not handling the VIP traffic and
+        # the traffic can hairpin, leaving stale conntrack entries on the host.
+        # xref: https://bugzilla.redhat.com/show_bug.cgi?id=1925698#c29
+        # Deleting conntrack entries solves the problem, but it also affects other connections
+        # directed to the LB vips, causing unexpected networks disruptions.
+        # The solution is to not FORWARD GCP HealthCheckers traffic, because that traffic 
+        # is only directed to the host, and it must go to the INPUT chain.
+        # xref: https://bugzilla.redhat.com/show_bug.cgi?id=1930457#c8
+        # The HealthCheck origin ip-ranges are documented: 130.211.0.0/22 and 35.191.0.0/16
+        # xref: https://cloud.google.com/load-balancing/docs/health-check-concepts#ip-ranges
+        ensure_rule filter FORWARD -m comment --comment 'gcp HealthCheck traffic' -s 35.191.0.0/16 -j DROP
+        ensure_rule filter FORWARD -m comment --comment 'gcp HealthCheck traffic' -s 130.211.0.0/22 -j DROP
+
         mkdir -p "${RUN_DIR}"
     }