C-VEN
Resolved Issues
C-VEN support report does not contain container workload firewalls (E-106932)
VEN support reports for C-VENs were missing the active firewall information for all container workloads. This issue is resolved. Support reports now include full firewalls from each network namespace, as gathered by
iptables-saveandipset listoutput.Conntrack tear-down for containers with policy updates (E-44832)
Although policy was changed to block a container workload from talking to another, traffic was still passing between the workloads, due to a conntrack connection remaining incorrectly active. This issue is resolved. Conntrack connections on sessions affected by a policy change are now properly torn down.
Known Issue
C-VENs not automatically cleaned up after AKS upgrade (E-103895)
After upgrading an AKS cluster, sometimes a few duplicate C-VENs might not be automatically removed as part of the normal upgrade process, and remain in the PCE as "non-active." Note there is no compromise to the security or other functionality of the product.
Workaround: Manually prune the extra unmigrated C-VENs from the PCE by clicking the Unpair button for each of them.