When deploying OCP (3.11) on OSP (13) environment the namespace isolation is not enforced since the connectivity between 2 namespaces succeeds when it shouldn't. This happens due to the usage of remote_group_id at Neutron Security groups which is affected by this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1831044 Kuryr should avoid the usage of remote_group_id and use remote_ip_prefix instead on its security groups
Verified in openshift-ansible-3.11.219 (2020-05-20.1) on top of OSP 13 2020-05-19.2. Namespace isolation is working as expected, tempests namespace isolation tests pass and manual tests as well. Could not reproduce the issue described in https://bugzilla.redhat.com/show_bug.cgi?id=1831044 The security groups openshift-ansible-openshift.example.com-allow_from_default, openshift-ansible-openshift.example.com-allow_from_namespace, and the ones belonging to load balancer's ports do not have a Remote Security Group .
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2215