Skip to content

OCPBUGS-63219: Add clientIPPreservationMode to AWS NLB parameters#2661

Open
gcs278 wants to merge 1 commit into
openshift:masterfrom
gcs278:OCPBUGS-63219-proxy-protocol-api
Open

OCPBUGS-63219: Add clientIPPreservationMode to AWS NLB parameters#2661
gcs278 wants to merge 1 commit into
openshift:masterfrom
gcs278:OCPBUGS-63219-proxy-protocol-api

Conversation

@gcs278
Copy link
Copy Markdown
Contributor

@gcs278 gcs278 commented Jan 19, 2026
edited
Loading

Summary

Note: Design Doc with an alternative is here: https://docs.google.com/document/d/14UVY8U-exch30-tYloX_-DMhM7hJX8226VA2q7bTJeo/edit?tab=t.0

Add clientIPPreservationMode field to AWSNetworkLoadBalancerParameters to control how client IP addresses are preserved. The field accepts "Native" (uses AWS's native client IP preservation) and "ProxyProtocol" (uses PROXY protocol v2, the new default).

When set to Native, the NLB target group has preserve_client_ip.enabled set to true, which may cause hairpin connection failures for internal load balancers when connections are made from pods to router pods on the same node.

When set to ProxyProtocol, the NLB target group has preserve_client_ip.enabled set to false and proxy_protocol_v2.enabled set to true. This allows backends to receive the original client IP via PROXY protocol headers while avoiding hairpin connection failures.

Why a new API field?

AWS NLBs have preserve_client_ip.enabled=true by default, which causes hairpin connection failures on internal NLBs when a pod sends traffic through the NLB and it routes back to the same node. The fix is to disable native client IP preservation and use PROXY protocol v2 instead — the same mechanism CLBs already use.

However, simply changing the default NLB behavior is not safe for existing clusters:

  • Users may have custom service load balancers or middleware between the NLB and HAProxy that don't understand PROXY protocol headers.
  • Enabling PROXY protocol changes how HAProxy processes incoming connections, which could break setups that depend on the current behavior.
  • Even though the risk is small, having an API field gives cluster admins an escape hatch to revert to the old behavior if something breaks.

An opt-in API field lets users explicitly choose ProxyProtocol when they need hairpin to work, while preserving the existing behavior for clusters that are working fine.

Why controller-managed defaults (not CRD defaults)?

Per the OpenShift API conventions for configuration APIs, IngressController fields should be defaulted in the controller rather than via +kubebuilder:default. This is because CRD defaults are applied on read — meaning a +kubebuilder:default would retroactively apply to existing IngressControllers on upgrade, changing their behavior without the user's knowledge.

Instead, the ingress operator defaults clientIPPreservationMode to ProxyProtocol only when creating new IngressControllers. Existing IngressControllers that were created before this field existed will have the field omitted, and the operator treats omitted as Native — preserving their current behavior with no change on upgrade.

The godoc uses the standard conventions wording to reserve the right to change the default in the future: "When omitted, this means the user has no opinion and the value is left to the platform to choose a good default, which is subject to change over time. The current default is ProxyProtocol."

Implementation PR: openshift/cluster-ingress-operator#1426

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Jan 19, 2026

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Jan 19, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jan 19, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds an exported string enum ClientIPPreservationMode with constants ClientIPPreservationNative and ClientIPPreservationProxyProtocol. Extends AWSNetworkLoadBalancerParameters with an optional clientIPPreservationMode field to select how AWS NLBs preserve client IPs. The CRD schema/documents the two modes (Native, ProxyProtocol) and notes that changing the NLB attribute or performing a router rollout independently can cause brief connection failures.

🚥 Pre-merge checks | ✅ 12
✅ Passed checks (12 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: adding the clientIPPreservationMode field to AWS NLB parameters, directly matching the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR modifies only types_ingress.go, an API type definition file with no Ginkgo test code, making this check not applicable.
Test Structure And Quality ✅ Passed PR contains only API schema changes (new type and struct field) with no test code modifications, making test assessment not applicable.
Microshift Test Compatibility ✅ Passed The pull request adds API type definitions for AWS NLB ClientIPPreservationMode feature without adding any Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR adds API type definitions for AWS NLB configuration without new e2e test code, so the multi-node cluster assumption check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed This PR only modifies API type definitions in operator/v1/types_ingress.go, adding a new enum type and struct field. No deployment manifests, operator controller code, or scheduling constraints that assume standard HA topology are introduced.
Ote Binary Stdout Contract ✅ Passed PR modifies only type definitions and struct field in operator/v1/types_ingress.go with no process-level code, logging, or stdout writes.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The pull request modifies only operator/v1/types_ingress.go, which contains API type definitions and constants without any Ginkgo e2e test additions.
Description check ✅ Passed The PR description comprehensively explains the changes, including the new field's purpose, accepted values, behavioral differences, design rationale, and implementation details.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci-robot openshift-ci-robot added the jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. label Jan 19, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 19, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 19, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Jan 19, 2026

Hello @gcs278! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jan 19, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Jan 19, 2026

@gcs278: This pull request references Jira Issue OCPBUGS-63219, which is invalid:

  • expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Add clientIPPreservationMode field to AWSNetworkLoadBalancerParameters to control how client IP addresses are preserved. The field accepts "Preserved" (uses AWS's native client IP preservation, the default) and "ProxyProtocol" (uses PROXY protocol v2).

When set to Preserved, the NLB target group has preserve_client_ip.enabled set to true, which may cause hairpin connection failures for internal load balancers when connections are made from pods to router pods on the same node.

When set to ProxyProtocol, the NLB target group has preserve_client_ip.enabled set to false and proxy_protocol_v2.enabled set to true. This allows backends to receive the original client IP via PROXY protocol headers while avoiding hairpin connection failures.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jan 19, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Jan 19, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gcs278
Copy link
Copy Markdown
Contributor Author

gcs278 commented Jan 19, 2026

I've marked as draft as I'm still working through the approach to fixing this bug.

/test all

@gcs278 gcs278 mentioned this pull request Jan 23, 2026
Merged
@openshift-bot
Copy link
Copy Markdown

openshift-bot commented Apr 20, 2026

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci Bot added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Apr 20, 2026
@gcs278 gcs278 force-pushed the OCPBUGS-63219-proxy-protocol-api branch from b27f43f to 8eafa13 Compare April 28, 2026 17:16
@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 28, 2026
coderabbitai[bot]
coderabbitai Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
operator/v1/types_ingress.go (1)

914-921: Encode the documented default in schema annotations.

Line 914 documents a default mode, but the field has no +kubebuilder:default marker. Adding it keeps CRD/OpenAPI behavior explicit and consistent for clients.

Suggested annotation 
  // When omitted, the default behavior is "Native".
  //
+ // +kubebuilder:default:="Native"
  // +optional
  ClientIPPreservationMode ClientIPPreservationMode `json:"clientIPPreservationMode,omitempty"`
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@operator/v1/types_ingress.go` around lines 914 - 921, The comment documents
the default "Native" for the ClientIPPreservationMode field but the CRD schema
lacks a kubebuilder default; add a +kubebuilder:default="Native" marker
immediately above the ClientIPPreservationMode field declaration
(ClientIPPreservationMode ClientIPPreservationMode
`json:"clientIPPreservationMode,omitempty"`), ensuring the OpenAPI/CRD schema
and type ClientIPPreservationMode encode the documented default.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@operator/v1/types_ingress.go`:
- Around line 905-907: The exported enum label for the NLB client IP mode is
inconsistent (code uses "Native" but the API should default to "Preserved");
update the enum constant/strings and documentation so the exported value is
"Preserved" everywhere, set the default to Preserved, and adjust all
validation/serialization code to accept and emit "Preserved" instead of "Native"
(update the enum declaration, Allowed/Valid list, defaulting in SetDefaults,
Validate, and any UnmarshalJSON/FromString helpers or switch cases that
reference "Native"); if you need to preserve backward-compatibility, add a
one-time alias mapping from the legacy "Native" input to "Preserved" in
Unmarshal/Validate while continuing to output "Preserved".

---

Nitpick comments:
In `@operator/v1/types_ingress.go`:
- Around line 914-921: The comment documents the default "Native" for the
ClientIPPreservationMode field but the CRD schema lacks a kubebuilder default;
add a +kubebuilder:default="Native" marker immediately above the
ClientIPPreservationMode field declaration (ClientIPPreservationMode
ClientIPPreservationMode `json:"clientIPPreservationMode,omitempty"`), ensuring
the OpenAPI/CRD schema and type ClientIPPreservationMode encode the documented
default.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 26a1373d-68a6-4e6e-830d-33b241a22822

📥 Commits

Reviewing files that changed from the base of the PR and between 4f63a40 and 8eafa13.

⛔ Files ignored due to path filters (10)
  • openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
  • openapi/openapi.json is excluded by !openapi/**
  • operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
  • operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
  • operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerDynamicConfigurationManager.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
  • operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*
📒 Files selected for processing (1)
  • operator/v1/types_ingress.go

Comment thread operator/v1/types_ingress.go
@gcs278 gcs278 force-pushed the OCPBUGS-63219-proxy-protocol-api branch from 8eafa13 to e6b120a Compare April 28, 2026 17:56
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Apr 28, 2026

@gcs278: This pull request references Jira Issue OCPBUGS-63219, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Add clientIPPreservationMode field to AWSNetworkLoadBalancerParameters
to control how client IP addresses are preserved. The field accepts
"Native" (uses AWS's native client IP preservation) and
"ProxyProtocol" (uses PROXY protocol v2, the new default).

When set to Native, the NLB target group has preserve_client_ip.enabled
set to true, which may cause hairpin connection failures for internal load
balancers when connections are made from pods to router pods on the same
node.

When set to ProxyProtocol, the NLB target group has
preserve_client_ip.enabled set to false and proxy_protocol_v2.enabled
set to true. This allows backends to receive the original client IP via
PROXY protocol headers while avoiding hairpin connection failures.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@gcs278
Copy link
Copy Markdown
Contributor Author

gcs278 commented Apr 29, 2026

/remove-lifecycle stale

@openshift-ci openshift-ci Bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 29, 2026
@gcs278 gcs278 force-pushed the OCPBUGS-63219-proxy-protocol-api branch from e6b120a to cff0427 Compare April 29, 2026 00:05
@gcs278 gcs278 mentioned this pull request Apr 29, 2026
Open
10 tasks
@gcs278 gcs278 marked this pull request as ready for review April 29, 2026 02:10
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 29, 2026
@gcs278
Copy link
Copy Markdown
Contributor Author

gcs278 commented Apr 29, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Apr 29, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Apr 29, 2026

@gcs278: This pull request references Jira Issue OCPBUGS-63219, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested a review from anuragthehatter April 29, 2026 02:10
@gcs278
OCPBUGS-63219: Add clientIPPreservationMode to AWS NLB parameters
1fb56fc 
Add clientIPPreservationMode field to AWSNetworkLoadBalancerParameters
to control how client IP addresses are preserved. The field accepts
"Native" (uses AWS's native client IP preservation) and
"ProxyProtocol" (uses PROXY protocol v2, the new default).

When set to Native, the NLB target group has preserve_client_ip.enabled
set to true, which may cause hairpin connection failures for internal load
balancers when connections are made from pods to router pods on the same
node.

When set to ProxyProtocol, the NLB target group has
preserve_client_ip.enabled set to false and proxy_protocol_v2.enabled
set to true. This allows backends to receive the original client IP via
PROXY protocol headers while avoiding hairpin connection failures.

https://redhat.atlassian.net/browse/OCPBUGS-63219
@gcs278 gcs278 force-pushed the OCPBUGS-63219-proxy-protocol-api branch from cff0427 to 1fb56fc Compare April 29, 2026 13:43
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Apr 29, 2026

@gcs278: This pull request references Jira Issue OCPBUGS-63219, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

Details

In response to this:

Add clientIPPreservationMode field to AWSNetworkLoadBalancerParameters to control how client IP addresses are preserved. The field accepts "Native" (uses AWS's native client IP preservation) and "ProxyProtocol" (uses PROXY protocol v2, the new default).

When set to Native, the NLB target group has preserve_client_ip.enabled set to true, which may cause hairpin connection failures for internal load balancers when connections are made from pods to router pods on the same node.

When set to ProxyProtocol, the NLB target group has preserve_client_ip.enabled set to false and proxy_protocol_v2.enabled set to true. This allows backends to receive the original client IP via PROXY protocol headers while avoiding hairpin connection failures.

Why a new API field?

AWS NLBs have preserve_client_ip.enabled=true by default, which causes hairpin connection failures on internal NLBs when a pod sends traffic through the NLB and it routes back to the same node. The fix is to disable native client IP preservation and use PROXY protocol v2 instead — the same mechanism CLBs already use.

However, simply changing the default NLB behavior is not safe for existing clusters:

  • Users may have custom service load balancers or middleware between the NLB and HAProxy that don't understand PROXY protocol headers.
  • Enabling PROXY protocol changes how HAProxy processes incoming connections, which could break setups that depend on the current behavior.
  • Even though the risk is small, having an API field gives cluster admins an escape hatch to revert to the old behavior if something breaks.

An opt-in API field lets users explicitly choose ProxyProtocol when they need hairpin to work, while preserving the existing behavior for clusters that are working fine.

Why controller-managed defaults (not CRD defaults)?

Per the OpenShift API conventions for configuration APIs, IngressController fields should be defaulted in the controller rather than via +kubebuilder:default. This is because CRD defaults are applied on read — meaning a +kubebuilder:default would retroactively apply to existing IngressControllers on upgrade, changing their behavior without the user's knowledge.

Instead, the ingress operator defaults clientIPPreservationMode to ProxyProtocol for new IngressControllers only (gated with !alreadyAdmitted in setDefaultProviderParameters). Existing IngressControllers that were created before this field existed will have the field omitted, and the operator treats omitted as Native — preserving their current behavior with no change on upgrade.

The godoc uses the standard conventions wording to reserve the right to change the default in the future: "When omitted, this means the user has no opinion and the value is left to the platform to choose a good default, which is subject to change over time. The current default is ProxyProtocol."

Implementation PR: openshift/cluster-ingress-operator#1426

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Apr 29, 2026

@gcs278: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gcs278
Copy link
Copy Markdown
Contributor Author

gcs278 commented Apr 29, 2026

@JoelSpeed I was discussing with @Miciah and I'm going to write up a quick design doc for this API and the defaulting behavioral changes so we can discuss in more detail.

Feel free to review/comment in the meantime though.

@JoelSpeed
Copy link
Copy Markdown
Contributor

JoelSpeed commented Apr 29, 2026

/assign @yuqi-zhang

@gcs278
Copy link
Copy Markdown
Contributor Author

gcs278 commented Apr 30, 2026

/hold

While we discuss design details. But feel free to still review, or review my doc.

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 30, 2026
yuqi-zhang
yuqi-zhang reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@yuqi-zhang yuqi-zhang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know when the design is finalized - just some initial thoughts:

  1. the API definition itself looks fine, although simple, it would be best to have a few unit tests attached
  2. since this is introducing a new field to a stable API, the general expectation is that you would have a featuregate backing this, however
  3. it seems that you are doing this as a bugfix patch. Are you planning on backporting this to previous versions? We generally do not backport new API fields. Based on your description
AWS NLBs have preserve_client_ip.enabled=true by default, which causes hairpin connection failures on internal NLBs when a pod sends traffic through the NLB and it routes back to the same node. The fix is to disable native client IP preservation and use PROXY protocol v2 instead — the same mechanism CLBs already use.

I would expect previous versioned clusters running into this to find a way to do this via some manual method, if possible, instead of backporting a new API field and fix. This can serve as the fix for future clusters.

@bentito
Copy link
Copy Markdown
Contributor

bentito commented May 11, 2026

/assign @Miciah

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@everettraven everettraven Awaiting requested review from everettraven

@JoelSpeed JoelSpeed Awaiting requested review from JoelSpeed

@anuragthehatter anuragthehatter Awaiting requested review from anuragthehatter

+1 more reviewer

@yuqi-zhang yuqi-zhang yuqi-zhang left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@Miciah Miciah

@yuqi-zhang yuqi-zhang

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@gcs278 @openshift-ci-robot @openshift-bot @JoelSpeed @bentito @yuqi-zhang @Miciah