/test pull-kubernetes-e2e-gci-gce-ipvs

/assign @andrewsykim @uablrek

This solves all the test failures reported in #92553

I0628 16:24:49.389] FAIL! -- 757 Passed | 1 Failed | 0 Pending | 4355 Skipped

and gives us back to the original situation reported in, with the flexvolume test failure #91253

I0628 16:24:49.388] [Fail] [sig-storage] Flexvolumes [It] should be mountable when non-attachable 
I0628 16:24:49.388] test/e2e/framework/volume/fixtures.go:502

@danwinship added this fix to solve the double natting problem, I tried to backtrace the problem but seems that IPVS uses ipset too and I wasn't able to find out the problem , so reverting the change only in IPVS will solve the issue

/priority urgent-critical
This breaks kube-proxy in IPVS mode

/test pull-kubernetes-e2e-kind-ipv6
/test pull-kubernetes-e2e-gci-gce-ipvs

@aojea: The label(s) priority/urgent-critical cannot be applied, because the repository doesn't have them

@aojea catching up on this. So we're reverting the double-nat fix for IPVS only since it used ipset and was not impacted?

@aojea catching up on this. So we're reverting the double-nat fix for IPVS only since it used ipset and was not impacted?

I don't know if it was impacted, sorry, didn't go so far understanding the ipset - iptables relationship, however, with the fix in IPVS is broken per the test results.

I think that we should follow up and verify if the double-nat fix is needed for IPVS, but have it working until then.

/retest
it works 😄

pull-kubernetes-e2e-gci-gce-ipvs — Job succeeded.

/retest

/retest

@aojea I think part of the problem is because RETURN rule in KUBE-POSTROUTING break the loop back logic.

Chain KUBE-POSTROUTING (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            mark match ! 0x4000/0x4000
MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK xor 0x4000
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service traffic requiring SNAT */
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            /* Kubernetes endpoints dst ip:port, source ip for solving hairpin purpose */ match-set KUBE-LOOP-BACK dst,dst,src

However, I think straightly revert the double-nat fix is not a good idea, maybe move KUBE-LOOP-BACK up could be an option.

However, I think straightly revert the double-nat fix is not a good idea, maybe move KUBE-LOOP-BACK up could be an option.

agree that the best solution is to solve it, but right now IPVS mode is broken and I don't know if the double-nat issue with the random-fully flag is affecting IPVS, but if it does affect, it's only in some specific scenarios, we can see that all the test succeed now.

Honestly, I don't have more time to investigate 😅 , seems this logic was added here #54219 , my suggestion is to merge this, fix the job and IPVS so we can have a good test signal, and open a new Issue to solve/understand the double-nat issue in IPVS.

However, I think straightly revert the double-nat fix is not a good idea, maybe move KUBE-LOOP-BACK up could be an option.

agree that the best solution is to solve it, but right now IPVS mode is broken and I don't know if the double-nat issue with the random-fully flag is affecting IPVS, but if it does affect, it's only in some specific scenarios, we can see that all the test succeed now.

Honestly, I don't have more time to investigate 😅 , seems this logic was added here #54219 , my suggestion is to merge this, fix the job and IPVS so we can have a good test signal, and open a new Issue to solve/understand the double-nat issue in IPVS.

Agree.

There were definitely people using IPVS in various places in the sprawling tangle of bug reports related to the random-fully/checksum problem.

I think part of the problem is because RETURN rule in KUBE-POSTROUTING break the loop back logic.

maybe move KUBE-LOOP-BACK up could be an option.

er, yeah, my fix assumed that kubelet and kube-proxy were creating identical KUBE-POSTROUTING rules.

This will hopefully eventually get fixed as part of #82125 but yes, it seems like for now just moving the KUBE-LOOP-BACK rule should fix this

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewsykim, aojea

The full list of commands accepted by this bot can be found here.

The pull request process is described here

/hold cancel
flexvolume commit removed

@Lion-Wei do you mind lgtm again?

/retest
the ipvs job failure is because the flexvolume test only

@aojea Not at all.
/lgtm

/retest
🤔

I thought the flex volume tests were failing because quay.io was down but that seemed to be fixed now #91242 ?

Maybe we just need to update to use the staging CI image for quay? @BenTheElder might know?

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

I don't think root cause of flex volume test failing in this job is known. It's passing in normal k8s ci, so I suspect it is related to the configuration of this job.

This line from the test log is potentially suspicious and indicates that the test is trying to use IPs.

Jul  1 15:50:26.384: INFO: Getting external IP address for e2e-bc0cae53a3-2e794-minion-group-mxnp

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@aojea: The following test failed, say /retest to rerun all failed tests:

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.