An externalIP of Service not reachable from other namespaces within the same cluster after OVN migration

Solution Verified - Updated 13 May 2025

Environment

OpenShift Container Platform
OpenShift-SDN using network policy (netpol) mode and configured to setup This content is not included.multitenant isolated network
A service with externalTrafficPolicy (ETP) set to 'Local'

Issue

After a migration from OpenShift-SDN to OVN-Kubernetes a project was unable to reach an IP address that belongs to an externalIP set by other project on the same cluster.

Resolution

There are two options:

Add an additional network ingress policy that define the application port used to access it.
As an alternative, if is suitable for your use case set the externalTrafficPolicy to 'Cluster'.

Root Cause

The configuration of multienant network policy show on our documentation creates a set of network policies that behaves like OpenShift-SDN configured in multitenant mode.
This configuration does not translate perfectly on OVN-Kubernetes (OVN-K) as there are some small differences in how traffic is handled because it relies less on iptables and linux default network stack.

Diagnostic Steps

After the migration from OpenShift SDN to OVN-Kubernetes is completed there are at least one specific service using externalTrafficPolicy type local is not reachable.
Check that the namespace have a set of network policies associated as is documented here

SBR

Shift Networking

Product(s)

Red Hat OpenShift Container Platform

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.