Guest

Preview Tool

Cisco Bug: CSCvs41278 - SNAT is applied to all Namespaces

Last Modified

Dec 11, 2019

Products (1)

  • Cisco Application Policy Infrastructure Controller (APIC)

Known Affected Releases

4.2(2g)

Description (partial)

Symptom:
If you create a SNAT policy like this:
---
apiVersion: aci.snat/v1
kind: SnatPolicy
metadata:
  name: snat-nettools
spec:
 selector:
   namespace: nettool


The expected behaviour is that ACI CNI will enable source NAT for every POD associated to an external service in the specified namespace. 

This seems to works correctly in the cluster as the "kubectl describe snatpolicy output" is correct (i.e. only the services in the specified namespace are listed) however aci-container-controller will program the SNAT port ranges in every filter for the exposed services on APIC.

Conditions:
Snat Policy is selecting only the namespace
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.