Bug 1976242

Summary: [4.7.z backport] Upgrade from Openshift 4.5 -> 4.6 Results in Orphaned Address sets
Product: OpenShift Container Platform Reporter: Antoni Segura Puimedon <asegurap>
Component: NetworkingAssignee: Jaime CaamaƱo Ruiz <jcaamano>
Networking sub component: ovn-kubernetes QA Contact: Anurag saxena <anusaxen>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: akaris, anusaxen, arajapa, astoycos, bhershbe, jcaamano, pablo.iranzo, sgordon, yjoseph, zzhao
Version: 4.8   
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Address set naming convention used in OVN-Kubernetes changed from 4.5 to 4.6 but migration to the new naming convention of existing address sets through an upgrade was not handled. Consequence: Network policies created in 4.5 with namespace selector criteria for their ingress or egress sections might not work correctly in 4.6 or later releases due to the fact that rely on matching old address sets that were not being kept updated with the pod IPs within such namespaces. These policies might allow or drop unexpected traffic. Workaround is to remove and recreate these policies. Fix: On OVN-Kubernetes upgrade to fixed version, address sets with old naming convention are removed and policy ACLs referencing this old address sets are updated referencing the address sets following the new naming convention. Result: Affected network policies created in 4.5 should start working correctly again after upgrade.
 Story Points: ---
Clone Of: 1976241 Environment:
Last Closed: 2021-09-08 13:17:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976241    
Bug Blocks:    

Comment 6 errata-xmlrpc 2021-09-08 13:17:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.29 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3303