Tested this on 4.8.0-0.nightly-2021-08-11-223756 steps: 1. setup cluster with ovn plugin 2. new namespace z1 and create test pod oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/list_for_pods.json 3. create network policy in this namespace kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-same-namespace spec: podSelector: ingress: - from: - podSelector: {} 4. rsh into master pod and check the acl add address #ovn-nbctl list acl | grep namespace=z1 -C 4 _uuid : ebf54c0c-1f16-42e4-9701-d6c2951185bb action : allow-related direction : to-lport external_ids : {Ingress_num="0", ipblock_cidr="false", l4Match=None, namespace=z1, policy=allow-same-namespace, policy_type=Ingress} log : false match : "ip4.src == {$a14577698995162000448} && outport == @a17264831995179924701" meter : acl-logging name : z1_allow-same-namespace_0 priority : 1001 severity : info sh-4.4# ovn-nbctl list address | grep a14577698995162000448 -B 4 _uuid : 08ebe2c9-d96f-495e-a08d-b544c69d0c23 addresses : ["10.129.2.26", "10.131.0.48", "172.30.141.98"] external_ids : {name=z1.allow-same-namespace.ingress.0_v4} name : a14577698995162000448 5. Create fake record, update above acl with another reference from a14577698995162000448 to a14577698995162000449 # ovn-nbctl set acl ebf54c0c-1f16-42e4-9701-d6c2951185bb 'match="ip4.src == {$a14577698995162000449} && outport == @a17264831995179924701"' 6. Create another address #ovn-nbctl create Address_Set name=a14577698995162000449 addresses=172.16.1.3 external_ids=name=z1.allow-same-namespace.ingress.0 sh-4.4# ovn-nbctl list acl | grep a14577698995162000449 -C 6 _uuid : ebf54c0c-1f16-42e4-9701-d6c2951185bb action : allow-related direction : to-lport external_ids : {Ingress_num="0", ipblock_cidr="false", l4Match=None, namespace=z1, policy=allow-same-namespace, policy_type=Ingress} log : false match : "ip4.src == {$a14577698995162000449} && outport == @a17264831995179924701" meter : acl-logging name : z1_allow-same-namespace_0 priority : 1001 severity : info _uuid : 1e406bed-2443-4035-9a4d-2af022336cce sh-4.4# ovn-nbctl list address | grep a14577698995162000449 -B 4 _uuid : 208b1229-89cd-4f19-bfc9-3f742ad1d970 addresses : ["172.16.1.3"] external_ids : {name=z1.allow-same-namespace.ingress.0} name : a14577698995162000449 7. Restart ovnkube master pods. 8. Check the ovn acl already be updated to correct reference a14577698995162000448 #ovn-nbctl list acl | grep namespace=z1 -C 4 _uuid : ebf54c0c-1f16-42e4-9701-d6c2951185bb action : allow-related direction : to-lport external_ids : {Ingress_num="0", ipblock_cidr="false", l4Match=None, namespace=z1, policy=allow-same-namespace, policy_type=Ingress} log : false match : "ip4.src == {$a14577698995162000448} && outport == @a17264831995179924701" meter : acl-logging name : z1_allow-same-namespace_0 priority : 1001 severity : info However the fake address record still exit. sh-4.4# ovn-nbctl list address | grep a14577698995162000449 -B 4 _uuid : 208b1229-89cd-4f19-bfc9-3f742ad1d970 addresses : ["172.16.1.3"] external_ids : {name=z1.allow-same-namespace.ingress.0} name : a14577698995162000449
I checked PR https://github.com/openshift/ovn-kubernetes/pull/635/files#diff-10e844883fb71e6b364c9039e12867797bf643a9189a82fdd2715d2ecc9b2fd8R12 the old address-set should be removed. please confirm this? thanks
@zzhao the correct hashed name for z1.allow-same-namespace.ingress.0 is a9512858319328250577 not a14577698995162000449. See https://play.golang.org/p/-UOyx0RHkQb. Can you try with a9512858319328250577?
OpenShift engineering has decided to NOT ship 4.8.6 on 8/23 due to the following issue. https://bugzilla.redhat.com/show_bug.cgi?id=1995785 All the fixes part will be now included in 4.8.7 on 8/30.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.8.9 bug fix), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:3247
Supplying doc text from the 4.8.9 Release Notes to test RN query steps.