Bug 1973679

Summary: fix ovn-kubernetes NetworkPolicy 4.7->4.8 upgrade issue
Product: OpenShift Container Platform Reporter: Dan Winship <danw>
Component: NetworkingAssignee: Dan Winship <danw>
Networking sub component: ovn-kubernetes QA Contact: Arti Sood <asood>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: asood
Version: 4.9   
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:35:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1973672    

Description Dan Winship 2021-06-18 13:05:57 UTC 
When upgrading from 4.7 to 4.8, an ovn-kubernetes cluster containing NetworkPolicies will leave stale ACLs around that will not get deleted, potentially causing connection failures later.
Comment 1 Dan Winship 2021-06-18 13:54:51 UTC 
In theory the QE tests we added after bug 1914284 should catch this bug. That is, if you run the test case that was added for that bug, in an ovn-kube cluster across an upgrade from 4.7 to current 4.8, the test should fail.

Actually... maybe not. You might have to add an extra step, where after the upgrade you edit one of the NetworkPolicies that was created before the upgrade (eg, change the podSelector to no longer match the pods). The bug should cause that change to not take effect; the pods will still be able to connect even though the NP no longer matches them.
Comment 11 errata-xmlrpc 2021-10-18 17:35:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759