Known Behavior
This section lists known limitations with Cloud-Native Contrail Networking Release 22.3.
General Routing
- CN2-3234: When a flow matches an ingress network policy, the egress network policy is also allowed. The network policy in Cloud-Native Contrail Networking behaves differently than standard Kubernetes behavior.
- CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows
between pods in isolated namespaces and between pods in isolated and non-isolated
namespaces.
Workaround: Do not configure fabric source NAT on an isolated namespace.
-
CN2-3256: All cSRX workloads with subinterfaces are not compatible with Cloud-Native Contrail Networking.
-
CN2-4822: BGPaaS objects cannot be configured on nodes that host the contrail controller and worker nodes on the same physical host.
Workaround: Production deployments are not affected because they run the Kubernetes worker and controller in different physical hosts.
-
CN2-6290: When installing the vRouter kernel, the vRouter init fails with this error:
insmod: can't insert '/kernelmodules/5.4.0-65-generic/vrouter.ko': Invalid argument
Workaround: Install the supported kernel version, see Table 1.
General Features
- CN2-6327: When interface mirroring is enabled with the
juniperheader option, only egress packets are
mirrored.
Workaround: Disable the juniperheader option to mirror both egress and ingress packets.
-
CN2-8728: When deploying CN2 on AWS EC2 instances, running Kubernetes service traffic and Contrail datapath traffic on different interfaces is not supported.
Workaround: Do not deploy Kubernetes and data traffic on the same interface in AWS.
-
CN2-8729: If the nodeSelector field is not populated to run on a single node, the postflight check might show some error messages for UDP test. Also, ping and TCP tests will fail.
Workaround: In the contrail-readiness-postflight.yaml file, populate the nodeSelector field to run on a single node.
Redhat OpenShift
-
CN2-5289: In an OpenShift VRRP deployment, with a separate management network and control and data network, the CNI takes a long time to come up. This issue is due to traffic NATing issues as described in Red Hat Bugzilla: Bug 2070318.
-
CN2-5349: In OpenShift deployments, sometimes the vRouter agent core appears causing the Openshift services to not work properly.
Workaround: Reboot the nodes one time before onboarding workloads.
- CN2-6205: When updating OpenShift Container (OCP) from version 4.8.39 to 4.9.31,
dual-stack clusters fail. See Red Hat Bugzilla: Bug 2085335.
Workaround: Delete the secrets: etcd-serving-metrics-ocp*, etcd-serving-ocp*, etcd-serving-ocp*, and then perform the update.
-
CN2-8137: OCP fails with a v2InstallCusterConflict error. This error sometimes appears early in OCP cluster deployments and remains in this state. You might see this error during cluster preparations before the installation starts.
Workaround: Deploy the cluster again.
Kubernetes
-
CN2-4642: In Cloud-Native Contrail Networking, the network policy uses the reserved tags "application" and "namespace". These tags conflict with Contrail's reserved resources.
Workaround: Do not use application and namespace labels to identify the pod and namespace resources.
-
CN2-5201: In scaled environments, we recommend that you refer to the node tuning parameters of the corresponding distribution. For example, for OpenShift, follow the instructions Using the Node Tuning Operator.
-
CN2-5902: If a service label is shared between a working pod and non-working (terminating) pods, creating a service fails.
Workaround: Remove the service label association from the non-working pods.
- CN2-6325: You cannot use Docker as a container runtime with Kubernetes 1.20. Docker as a
container runtime is now deprecated in Kubernetes.
Workaround: Use the CRI-O container engine or containerd as runtimes.
Telemetry and Analytics
-
CN2-8385: Upgrading CN2 analytics (Prometheus) from non-HA to HA is not working. This applies to both major and minor upgrades.
Workaround: Perform a helm rollback to the previous software version.
Lens UI
-
CN2-8561: After downloading the Lens AppImage Lens-5.4.4-latest.20220324.1.x86_64.AppImage, an "Access Denied" error message displays.
Workaround: Download the latest version of the AppImage from the following links: