Known Issues


  • Minimum supported Kubernetes version is 1.17.
  • Submariner only supports kube-proxy in iptables mode. IPVS is not supported at this time.
  • CoreDNS is supported out of the box for *.clusterset.local service discovery. KubeDNS needs manual configuration. Please refer to the GKE Quickstart Guide for more information.
  • Clusters deployed with the Calico network plug-in require further configuration to be compatible with Submariner. Please refer to the Calico-specific deployment instructions.
  • The Gateway load balancer support is still experimental and needs more testing.
  • Submariner Gateway metrics submariner_gateway_rx_bytes and submariner_gateway_tx_bytes will not be collected when using the VXLAN cable driver.
  • Submariner currently only supports IPv4. IPv6 and dual-stack are not supported at this time.


  • Currently, Globalnet is not supported with the OVN network plug-in.
  • The subctl benchmark latency command is not compatible with Globalnet deployments at this time.
  • Submariner uses TCP port 8081 to export metrics on the Globalnet controller. While other metrics will show up on OpenShift with no additional action from the user, this is not the case for Globalnet metrics at this time. User needs to ensure that firewall configuration allows ingress 8081/TCP on the Gateway nodes so that other nodes in the cluster can access it. Also, no other workload on those nodes should be listening on TCP port 8081.

Deploying with Helm on OpenShift

When deploying Submariner using Helm on OpenShift, Submariner needs to be granted the appropriate security context for its service accounts:

oc adm policy add-scc-to-user privileged system:serviceaccount:submariner:submariner-routeagent
oc adm policy add-scc-to-user privileged system:serviceaccount:submariner:submariner-gateway
oc adm policy add-scc-to-user privileged system:serviceaccount:submariner:submariner-globalnet

This is handled automatically in subctl and the Submariner addon.