Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Known Behavior

This section lists known limitations with Cloud-Native Contrail Networking Release 22.3.

General Routing

  • CN2-3234: When a flow matches an ingress network policy, the egress network policy is also allowed. The network policy in Cloud-Native Contrail Networking behaves differently than standard Kubernetes behavior.
  • CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows between pods in isolated namespaces and between pods in isolated and non-isolated namespaces.

    Workaround: Do not configure fabric source NAT on an isolated namespace.

  • CN2-3256: All cSRX workloads with subinterfaces are not compatible with Cloud-Native Contrail Networking.

  • CN2-4822: BGPaaS objects cannot be configured on nodes that host the contrail controller and worker nodes on the same physical host.

    Workaround: Production deployments are not affected because they run the Kubernetes worker and controller in different physical hosts.

  • CN2-6290: When installing the vRouter kernel, the vRouter init fails with this error:

    insmod: can't insert '/kernelmodules/5.4.0-65-generic/vrouter.ko': Invalid argument

    Workaround: Install the supported kernel version, see Table 1.

General Features

  • CN2-6327: When interface mirroring is enabled with the juniperheader option, only egress packets are mirrored.

    Workaround: Disable the juniperheader option to mirror both egress and ingress packets.

  • CN2-8728: When deploying CN2 on AWS EC2 instances, running Kubernetes service traffic and Contrail datapath traffic on different interfaces is not supported.

    Workaround: Do not deploy Kubernetes and data traffic on the same interface in AWS.

  • CN2-8729: If the nodeSelector field is not populated to run on a single node, the postflight check might show some error messages for UDP test. Also, ping and TCP tests will fail.

    Workaround: In the contrail-readiness-postflight.yaml file, populate the nodeSelector field to run on a single node.

Redhat OpenShift

  • CN2-5289: In an OpenShift VRRP deployment, with a separate management network and control and data network, the CNI takes a long time to come up. This issue is due to traffic NATing issues as described in Red Hat Bugzilla: Bug 2070318.

  • CN2-5349: In OpenShift deployments, sometimes the vRouter agent core appears causing the Openshift services to not work properly.

    Workaround: Reboot the nodes one time before onboarding workloads.

  • CN2-6205: When updating OpenShift Container (OCP) from version 4.8.39 to 4.9.31, dual-stack clusters fail. See Red Hat Bugzilla: Bug 2085335.

    Workaround: Delete the secrets: etcd-serving-metrics-ocp*, etcd-serving-ocp*, etcd-serving-ocp*, and then perform the update.

  • CN2-8137: OCP fails with a v2InstallCusterConflict error. This error sometimes appears early in OCP cluster deployments and remains in this state. You might see this error during cluster preparations before the installation starts.

    Workaround: Deploy the cluster again.

Kubernetes

  • CN2-4642: In Cloud-Native Contrail Networking, the network policy uses the reserved tags "application" and "namespace". These tags conflict with Contrail's reserved resources.

    Workaround: Do not use application and namespace labels to identify the pod and namespace resources.

  • CN2-5201: In scaled environments, we recommend that you refer to the node tuning parameters of the corresponding distribution. For example, for OpenShift, follow the instructions Using the Node Tuning Operator.

  • CN2-5902: If a service label is shared between a working pod and non-working (terminating) pods, creating a service fails.

    Workaround: Remove the service label association from the non-working pods.

  • CN2-6325: You cannot use Docker as a container runtime with Kubernetes 1.20. Docker as a container runtime is now deprecated in Kubernetes.

    Workaround: Use the CRI-O container engine or containerd as runtimes.

Telemetry and Analytics

  • CN2-8385: Upgrading CN2 analytics (Prometheus) from non-HA to HA is not working. This applies to both major and minor upgrades.

    Workaround: Perform a helm rollback to the previous software version.

Lens UI