When upgrading from 4.7 to 4.8, an ovn-kubernetes cluster containing NetworkPolicies will leave stale ACLs around that will not get deleted, potentially causing connection failures later.
In theory the QE tests we added after bug 1914284 should catch this bug. That is, if you run the test case that was added for that bug, in an ovn-kube cluster across an upgrade from 4.7 to current 4.8, the test should fail. Actually... maybe not. You might have to add an extra step, where after the upgrade you edit one of the NetworkPolicies that was created before the upgrade (eg, change the podSelector to no longer match the pods). The bug should cause that change to not take effect; the pods will still be able to connect even though the NP no longer matches them.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759