When I'm trying to add machines to an external network (that doesn't belong to my tenant) I see the next error from cluster-api-provider-openstack: W0318 22:10:59.996899 1 controller.go:321] Failed to create machine "mfedosin-tw4hb-worker-trmkx": error creating Openstack instance: Failed to create port err: Create port for server err: Request forbidden: [POST https://rhos-d.infra.prod.upshift.rdu2.redhat.com:13696/v2.0/ports], error message: {"NeutronError": {"message": "(rule:create_port and (rule:create_port:allowed_address_pairs and (rule:create_port:allowed_address_pairs:ip_address and rule:create_port:allowed_address_pairs:ip_address and rule:create_port:allowed_address_pairs:ip_address))) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}} This happens because CAPO doesn't differentiate between private and external networks and always tries to set allowed_address_pairs for ports.
postpone it until https://github.com/openshift/installer/pull/3291 is merged
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409'