Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1909777

Summary: Setting up multitenant netwotk policy does not work with OVN-Kubernetes network plugin.
Product: OpenShift Container Platform Reporter: Roman Kravtsov <mf.flip>
Component: DocumentationAssignee: Jason Boxman <jboxman>
Status: CLOSED CURRENTRELEASE QA Contact: Arti Sood <asood>
Severity: urgent Docs Contact: Vikram Goyal <vigoyal>
Priority: urgent    
Version: 4.7CC: aconstan, agomezpr, anusaxen, aos-bugs, bbennett, christoph.obexer, huirwang, jboxman, jnordell, joboyer, jokerman, mapandey, moddi, openshift-bugs-escalate, rbohne, rsandu, sbelmasg, skanakal, sreber, zzhao
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: x86_64   
OS: Linux   
URL: https://docs.okd.io/latest/networking/network_policy/multitenant-network-policy.html
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-11 03:16:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roman Kravtsov 2020-12-21 15:22:31 UTC 
Document URL: https://docs.okd.io/latest/networking/network_policy/multitenant-network-policy.html

Describe the issue: Setting up multitenant netwotk policy does not work with OVN-Kubernetes network plugin.

How reproducible: Always.

Steps to Reproduce:
1. Create project
2. In project from step 1 create an application with a Service that is exposed through a Route 
3. Reproduce all steps described in documentation "Configuring multitenant isolation by using network policy"

Actual results: Route times out (i.e. the application is no longer accessible).

Expected results: Route works just as it did before applying network policy.
Comment 1 Jason Boxman 2020-12-21 18:16:53 UTC 
So this doesn't work for OVN-Kubernetes? Is there a different approach we can document that does work?

It looks like in the meanwhile, we need a note that states that this procedure works only for OpenShift SDN?

Thanks!
Comment 7 Dan Winship 2021-01-04 17:34:21 UTC 
Yes, the documented procedure currently only works for openshift-sdn. There is currently no good way to implement "allow from ingress" when using ovn-kubernetes. This is targeted to be fixed in 4.8 (https://issues.redhat.com/browse/SDN-1340). (The planned fix will make it so the existing doc is correct for both openshift-sdn and ovn-kubernetes. Specifically, it will fix ovn-kubernetes so the "matchLabels: { network.openshift.io/policy-group: ingress }" policy will work there too.)

Reassigning to Documentation to clarify the docs for 4.7.
Comment 16 Jason Boxman 2021-03-16 05:22:22 UTC 
So we've made some progress in this area on updating the documentation[0]. Does this help?

Thanks!

[0] https://github.com/openshift/openshift-docs/pull/29633