Document URL: https://docs.okd.io/latest/networking/network_policy/multitenant-network-policy.html Describe the issue: Setting up multitenant netwotk policy does not work with OVN-Kubernetes network plugin. How reproducible: Always. Steps to Reproduce: 1. Create project 2. In project from step 1 create an application with a Service that is exposed through a Route 3. Reproduce all steps described in documentation "Configuring multitenant isolation by using network policy" Actual results: Route times out (i.e. the application is no longer accessible). Expected results: Route works just as it did before applying network policy.
So this doesn't work for OVN-Kubernetes? Is there a different approach we can document that does work? It looks like in the meanwhile, we need a note that states that this procedure works only for OpenShift SDN? Thanks!
Yes, the documented procedure currently only works for openshift-sdn. There is currently no good way to implement "allow from ingress" when using ovn-kubernetes. This is targeted to be fixed in 4.8 (https://issues.redhat.com/browse/SDN-1340). (The planned fix will make it so the existing doc is correct for both openshift-sdn and ovn-kubernetes. Specifically, it will fix ovn-kubernetes so the "matchLabels: { network.openshift.io/policy-group: ingress }" policy will work there too.) Reassigning to Documentation to clarify the docs for 4.7.
So we've made some progress in this area on updating the documentation[0]. Does this help? Thanks! [0] https://github.com/openshift/openshift-docs/pull/29633