Document a workaround for using EgressSeparateSubnet feature on OCP

Signed-off-by: Lan Luo <[email protected]>
antrea-io · Aug 22, 2024 · b880633 · b880633
1 parent 555ee9a
commit b880633
Showing 1 changed file with 39 additions and 0 deletions.
diff --git a/docs/egress.md b/docs/egress.md
@@ -21,6 +21,7 @@
 - [Egress on Cloud](#egress-on-cloud)
   - [AWS](#aws)
 - [Limitations](#limitations)
+- [Known issues](#known-issues)
 <!-- /toc -->
 
 ## What is Egress?
@@ -462,3 +463,41 @@ configuration is required by some Service load balancing solutions including:
 [Antrea Service external IP management, MetalLB](service-loadbalancer.md#interoperability-with-kube-proxy-ipvs-mode),
 and kube-vip. It means Antrea Egress cannot work together with these solutions
 in a cluster using `kube-proxy` IPVS. The issue was fixed in Antrea v1.7.0.
+
+## Known issues
+
+To support `EgressSeparateSubnet` feature, VLAN sub-interfaces will be created by
+Antrea Agents, the `rp_filter` of VLAN sub-interfaces should be 2, which enables loose
+mode filtering. In a vanilla Kubernetes cluster, Antrea Agents will set the `rp_filter`
+to 2 automatically without user intervention. However, it has been observed that
+`rp_filter` update by Antrea has no effect on OpenShift clusters due to [a known issue](https://github.com/antrea-io/antrea/issues/6546).
+A workaround is to leverage OpenShift Node Tuning Operator to update the `rp_filter`
+for `all` interface on all Egress Nodes:
+
+```yaml
+apiVersion: tuned.openshift.io/v1
+kind: Tuned
+metadata:
+  name: antrea
+  namespace: openshift-cluster-node-tuning-operator
+spec:
+  profile:
+  - data: |
+      [main]
+      summary=Update rp_filter for all
+      [sysctl]
+      net.ipv4.conf.all.rp_filter=2
+    name: openshift-antrea
+  recommend:
+  - match:
+    - label: network-role
+      value: egress-gateway
+    priority: 10
+    profile: openshift-antrea
+```
+
+After you apply above `Tuned` CR named `antrea` in a given OpenShift cluster, the Node
+Tuning Operator will watch the CR and update `net.ipv4.conf.all.rp_filter` to 2 for all
+matched Nodes (e.g. all Nodes with a label `network-role=egress-gateway`). Please refer
+to the OpenShift official document about [Using the Node Tuning Operator](https://docs.openshift.com/container-platform/4.16/scalability_and_performance/using-node-tuning-operator.html)
+for more details of `Tuned` CR.