Known Behavior
This section lists known limitations with Cloud-Native Contrail Networking Release 22.2.
General Routing
- CN2-3234: When a flow matches an ingress network policy, the egress network policy is also allowed. The network policy in Cloud-Native Contrail Networking behaves differently than standard Kubernetes behavior.
- CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows
between pods in isolated namespaces and between pods in isolated and non-isolated
namespaces.
Workaround: Do not configure fabric source NAT on an isolated namespace.
-
CN2-3256: All cSRX workloads with subinterfaces are not compatible with Cloud-Native Contrail Networking.
General Features
- CN2-6327: When interface mirroring is enabled with the
juniperheader option, only egress packets are mirrored.
Disable the juniperheader option to mirror both egress and ingress packets.
Redhat Openshift
-
CN2-5289: In an Openshift VRRP deployment, with a separate management network and control and data network, the CNI takes a long time to come up. This issue is due to traffic NATing issues as described in Red Hat Bugzilla: Bug 2070318.
-
CN2-5349: In Openshift deployments, sometimes the vRouter agent core appears causing the Openshift services to not work properly.
Workaround: Reboot the nodes one time before onboarding workloads.
- CN2-6205: When updating OCP from version 4.8.39 to 4.9.31, dual-stack clusters fail. See
Red Hat Bugzilla: Bug 2085335.
Workaround: Delete the secrets: etcd-serving-metrics-ocp*, etcd-serving-ocp*, etcd-serving-ocp*, and then perform the update.
Kubernetes
-
CN2-4642: In Cloud-Native Contrail Networking, the network policy uses the reserved tags "application" and "namespace". These tags conflict with Contrail's reserved resources.
Workaround: Do not use application and namespace labels to identify the pod and namespace resources.
-
CN2-5201: In scaled environments, we recommend that you refer to the node tuning parameters of the corresponding distribution. For example, for Openshift, follow the instructions Using the Node Tuning Operator.
-
CN2-5902: If a service label is shared between a working pod and non-working (terminating) pods, creating a service fails.
Workaround: Remove the service label association from the non-working pods.
- CN2-6325: You cannot use Docker as a container runtime with Kubernetes 1.20. Docker as a
container runtime is now deprecated in Kubernetes.
Workaround: Use the CRI-O container engine or containerd as runtimes.
DPDK and SR-IOV
-
CN2-5916: When four interfaces are configured in a bond interface on an X710 NIC, an mbuf leak with traffic drop is observed.
Workaround: Limit two interfaces in a bond configuration for X710 NICs.