Network Cluster Operator stuck in Degraded state due to kube-proxy options during SDN to OVN migration
Environment
- Red Hat OpenShift Container Platform 4
Issue
- During the migration of an OpenShift cluster from OpenShift SDN to OVN-Kubernetes, the Network Cluster Operator (CO) becomes stuck and enters a degraded state with the error
The operator configuration is invalid (invalid configuration: [network type "OVNKubernetes" does not allow specifying kube-proxy options]). Use 'oc edit network.operator.openshift.io cluster' to fix.
Resolution
- Remove the
kubeProxyConfigsection from theNetwork.operator.openshift.ioconfiguration.
-
Edit the
Network.operator.openshift.iocustom resource (CR) by running the following command:$ oc edit network.operator.openshift.io cluster -
Remove the
kubeProxyConfigsection:
In the opened editor, remove thekubeProxyConfigsection:apiVersion: operator.openshift.io/v1 kind: Network [...] spec: clusterNetwork: - cidr: <cluster network>/16 hostPrefix: 23 defaultNetwork: openshiftSDNConfig: mode: NetworkPolicy mtu: 1450 vxlanPort: 4789 type: OVNKubernetes disableNetworkDiagnostics: false kubeProxyConfig: # <----- remove this section iptablesSyncPeriod: 30s # <----- remove this section proxyArguments: # <----- remove this section iptables-min-sync-period: # <----- remove this section - 0s # <----- remove this section [...]
Root Cause
- The OVN migration was blocked because the cluster retained
kubeProxyConfigsettings, which are not supported with OVN-Kubernetes. Since OVN replaces kube-proxy and handles service routing internally, these parameters are considered invalid. The Network Operator detected this mismatch, marked the configuration asInvalidOperatorConfig, and set the cluster to a degraded state, preventing the migration from proceeding until the unsupported settings were removed.
Diagnostic Steps
-
Verify the Network CO state:
Check if the Network Cluster Operator is stuck in a degraded state with the specified error.$ oc get co NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE monitoring 4.13.22 True False False 16h network 4.13.22 True False True 531d The operator configuration is invalid (invalid configuration: [network type "OVNKubernetes" does not allow specifying kube-proxy options]). Use 'oc edit network.operator.openshift.io cluster' to fix. node-tuning 4.13.22 True False False 11d openshift-apiserver 4.13.22 True False False 12m openshift-controller-manager 4.13.22 True False False 64d openshift-samples 4.13.22 True False False 11d operator-lifecycle-manager 4.13.22 True False False 531d operator-lifecycle-manager-catalog 4.13.22 True False False 531d operator-lifecycle-manager-packageserver 4.13.22 True False False 12m service-ca 4.13.22 True False False 531d storage 4.13.22 True False False 531d -
Verify the presence of
kubeProxyConfig:
Ensure that thekubeProxyConfigsection is present in your network CO configuration.$ oc get network.operator.openshift.io cluster -oyaml apiVersion: operator.openshift.io/v1 kind: Network [...] spec: clusterNetwork: - cidr: <cluster network>/16 hostPrefix: 23 defaultNetwork: openshiftSDNConfig: mode: NetworkPolicy mtu: 1450 vxlanPort: 4789 type: OVNKubernetes disableNetworkDiagnostics: false kubeProxyConfig: iptablesSyncPeriod: 30s proxyArguments: iptables-min-sync-period: - 0s [...]If
kubeProxyConfigis present, proceed with the resolution steps to remove it.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.