It was found that Egress Firewall in OVN-Kubernetes does not reliably apply firewall rules when there is multiple dns rules. When adding EgressFirewalls with 5 or so dnsNames it is probable that a deadlock will occur. It could lead to the situation that effective firewall rules are different than it could be expected.
Acknowledgments: Name: Michael Swenson (Red Hat)
Statement: In OpenShift Container Platform 4 the default Container Network Interface (CNI) network provider plug-in is OpenShift SDN, and it's not affected by this flaw. Only the OVN-Kubernetes CNI network provider is affected.
upstream PR: https://github.com/ovn-org/ovn-kubernetes/pull/2169
Used fixcvename on RHBA-2021:1550 This was fixed in 4.7.10 but only shipped in 4.7.11 with container ose-ovn-kubernetes-container-v4.7.0-202105071917.p0