How to configure OVN to use kernel routing table

Solution Verified - Updated 7 Aug 2024

Environment

OpenShift Container Platform 4
OVN Kubernetes CNI

Issue

How to configure OVN to use the kernel routing table?
OVN does not honor the kernel routing table
Networks via additional gateways are unreachable from pods

Resolution

OCP 4.10 ~ 4.13
Starting from OCP 4.10.3, 'routingViaHost' option is supported against 'network.operator object' to configure OVN to use the kernel routing table instead. It is described in the document.

$ oc patch network.operator cluster -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig": {"routingViaHost": true} }}}}' --type=merge        
$ oc get network.operator.openshift.io/cluster  -o yaml | grep routingViaHost  
        routingViaHost: true

OCP 4.14 and later
Additionally, 'ipForwarding' needs to be set 'Global' along with 'routingViaHost: true'.

$ oc patch network.operator cluster -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig": {"routingViaHost": true} }}}}' --type=merge
$ oc patch network.operator cluster -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig": {"ipForwarding": "Global"} }}}}' --type=merge
$ oc get network.operator.openshift.io/cluster  -o yaml | egrep 'routingViaHost|ipForwarding'
        ipForwarding: Global
        routingViaHost: true

$ oc get pods -n openshift-ovn-kubernetes  -w       # check if ovnkube pods are restarted

Starting from OCP 4.14, 'ipForwarding' is set 'Restricted'. This means the nodes have 'ipforwarding' capability disabled.

# sysctl -a | grep all.forward 
net.ipv4.conf.all.forwarding = 0
net.ipv6.conf.all.forwarding = 0

Setting 'ipForwarding' 'Global' will allow ip forwarding on the nodes. Note that If the cluster has been upgraded from earlier versions to 4.14, 'ipForwarding: Global' is set by default.

Root Cause

By default, OVN kubernetes CNI does not use the kernel routing table unlike openshift SDN CNI.

$ cat ./check-ovn-routing.sh 
#!/bin/sh

PODS=$(oc get pods -n openshift-ovn-kubernetes  -o wide -l app=ovnkube-node | awk "/master/ {print \$1}" ORS=' ')
NODE=$(oc get nodes | grep -v ^NAME| awk '{print $1}' | tail -1)
for POD in $PODS
do
    oc exec -n openshift-ovn-kubernetes -it $POD -c ovn-controller --  ovn-nbctl lr-route-list GR_$NODE && break
done

$ ./check-ovn-routing.sh 
IPv4 Routes
Route Table <main>:
            10.128.0.0/14                100.64.0.1 dst-ip
                0.0.0.0/0              192.168.72.1 dst-ip rtoe-GR_worker-2.410k.ocp.cluster.com                      # <======

SBR

Shift Networking

Product(s)

Red Hat OpenShift Container Platform

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.