Multitenant isolated ExternalIP is not reachable from other namespaces after OVN migration
Environment
- Red Hat OpenShift Container Platform (OCP) 4.16
- OVN-Kubernetes
Issue
- When using
NetworkPoliciesto emulate multitenant isolated namespaces,ServicesusingExternalIPare not reachable from another namespaces after OVN migration. - Services of
type: LoadBalancerare not reachable from other namespaces after migrating to OVN.
Resolution
-
Red Hat is aware of this difference in behaviour and is aiming to document this behaviour change: This content is not included.OCPBUGS-36951
-
Add a
NetworkPolicyto allow access from another namespace to the affected namespace:apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-access-from-other-namespace namespace: postgresql spec: ingress: - from: - namespaceSelector: matchLabels: example-label: example podSelector: {} policyTypes: - Ingress
Root Cause
- The behavior of
NetworkPolicywith respect to Services of typeLoadBalanceris not well-defined. Both OpenshiftSDN and OVN-Kubernetes behavior here is permissible according to the specification.
Diagnostic Steps
-
When using the standard multitenant isolated
NetworkPoliciesdescribed in the documentation (allow-same-namespace,allow-from-kube-apiserver-operator,allow-from-openshift-monitoring,allow-from-openshift-ingress) in a new namespace, the following will not work as expected:oc create deployment foo --image=quay.io/fedora/fedora -- python3 -m http.server oc create service clusterip foo --tcp=8000 oc patch svc foo --type merge --patch '{"spec":{"type":"LoadBalancer"}}' oc new-project bar oc debug -- curl -sLo /dev/null -w '%{http_code}\n' <EXTERNAL-IP>:8000
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.