Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Known Behavior

This section lists known limitations with Cloud-Native Contrail Networking Release 22.2.

General Routing

  • CN2-3234: When a flow matches an ingress network policy, the egress network policy is also allowed. The network policy in Cloud-Native Contrail Networking behaves differently than standard Kubernetes behavior.
  • CN2-3429: When fabric source NAT is enabled in an isolated namespace, traffic flows between pods in isolated namespaces and between pods in isolated and non-isolated namespaces.

    Workaround: Do not configure fabric source NAT on an isolated namespace.

  • CN2-3256: All cSRX workloads with subinterfaces are not compatible with Cloud-Native Contrail Networking.

General Features

  • CN2-6327: When interface mirroring is enabled with the juniperheader option, only egress packets are mirrored.

    Disable the juniperheader option to mirror both egress and ingress packets.

Redhat Openshift

  • CN2-5289: In an Openshift VRRP deployment, with a separate management network and control and data network, the CNI takes a long time to come up. This issue is due to traffic NATing issues as described in Red Hat Bugzilla: Bug 2070318.

  • CN2-5349: In Openshift deployments, sometimes the vRouter agent core appears causing the Openshift services to not work properly.

    Workaround: Reboot the nodes one time before onboarding workloads.

  • CN2-6205: When updating OCP from version 4.8.39 to 4.9.31, dual-stack clusters fail. See Red Hat Bugzilla: Bug 2085335.

    Workaround: Delete the secrets: etcd-serving-metrics-ocp*, etcd-serving-ocp*, etcd-serving-ocp*, and then perform the update.

Kubernetes

  • CN2-4642: In Cloud-Native Contrail Networking, the network policy uses the reserved tags "application" and "namespace". These tags conflict with Contrail's reserved resources.

    Workaround: Do not use application and namespace labels to identify the pod and namespace resources.

  • CN2-5201: In scaled environments, we recommend that you refer to the node tuning parameters of the corresponding distribution. For example, for Openshift, follow the instructions Using the Node Tuning Operator.

  • CN2-5902: If a service label is shared between a working pod and non-working (terminating) pods, creating a service fails.

    Workaround: Remove the service label association from the non-working pods.

  • CN2-6325: You cannot use Docker as a container runtime with Kubernetes 1.20. Docker as a container runtime is now deprecated in Kubernetes.

    Workaround: Use the CRI-O container engine or containerd as runtimes.

DPDK and SR-IOV

  • CN2-5916: When four interfaces are configured in a bond interface on an X710 NIC, an mbuf leak with traffic drop is observed.

    Workaround: Limit two interfaces in a bond configuration for X710 NICs.