Hi,

today we migrated from OpenShiftSDN to OVNKubernetes. We use NetworkPolicies to seperate traffic between namespaces and were hoping that we can use them again with OVNKubernetes.

What we learned today is that NetworkPolicies don't work with OVNKubernetes, if the Router is working with "Endpointstrategy: HostNetwork".

So we followed the instructions in the docs and changed the Endpointstrategy to NodePortService in the IngressController CR.

Before we have set the NodePort range from 30000-... to 1-65535 so we can set the Ingress NodePort to 443 (our external LoadBalancer listens to this port).

Afterwards the NetworkPolicies worked again. 

But we had several new problems: Pulling images from docker.io or quay.io did not work. We sshed in our masters and workers and tried to curl google.de but we got the default application page from the OpenShift Router (??).

Further investigation showed that all network traffic from port 443 was forwarded to the OpenShift router with an IpTables rule.

We saw this issue in ovn-kubernetes that describes our problem rather good:

https://github.com/ovn-org/ovn-kubernetes/issues/1981

The issue should alread be fixed in upstream.

Because we can't use NetworkPolicies on OVNKubernetes and switching back to OpenShiftSDN is not an option in our setup, we urgently are waiting for a solution to this problem on OpenShift 4.6.

How to reproduce:
- use network plugin OVNKubernetes
- switch endpointstrategy to: nodeportservice
- set range of nodeports to 1-65535 in network CR.
- set the nodeport of the default ingress service to port 443
- try to curl google.com from one of the nodes. You will get the default application page from the OpenShift router instead of the google.com html code.

Thanks and greetings,

Josef