Document URL: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/networking/ovn-kubernetes-default-cni-network-provider
Section Number and Name:
14.2.2. Migrating to the OVN-Kubernetes default CNI network provider
Describe the issue:
Customer followed the instructions to switch the SDN on our OpenShift 4.7 cluster to OVN-Kubernetes. Everything went fine until he converted his EgressNetworkPolicy objects to EgressFirewall and then some components started failing to speak to the API server (including builds hanging).
1. On both customer old AWS cluster (4.7) that he converted to OVN-Kubernetes and a brand new AWS cluster (4.7) when he created EgressFirewall objects with a whitelist of allowed IPs access to the API server is blocked from pods in that projects. This is different to be behaviour of EgressNetworkPolicy, where access to the API server was implicitly granted. With EgressFirewall he need to manually add the IP addresses of the API servers, which is not documented and possibly fragile as they may change in the future.
2. This is quite difficult for him to do as the cluster is disconnected, but can supply a smaller amount of output.
3. EgressNetworkPolicy always allowed access to the API server. EgressFirewall doesn't. Therefore the two are not compatible. At the very least there needs to be a warning in the documentation.
Pablo Alonso Rodriguez also did some test in the cluster but the connection to the API fails , so confirmed the issue is there even for us
Suggestions for improvement: Needs some good explanation and describes about the compatibility , at least we need to have some warning message in the documentation
I've created a PR to include this in the product documentation. Did I suggest the correct IP ranges? Does a user need to interrogate their cluster for their own specific IP address ranges for this? Thanks!
Do we have any concrete update on this please ? so that i can update to the customer for the same
The Doc needs to be updated but we also have bug for OVN egressfirewall, as Huiran Wang mentioned API service IP should not be blocked by egressfirewall
Thanks in Advance for your help
I have a customer who has tried to implement the EgressNetworkPolicy in their OVN cluster by referring to the official documentation. As per the workaround suggested in this Bugzilla, we have to manually add the IP address range that the API servers listen on in the egress firewall rules. But this is only a workaround and not a fix for the issue for which this Bugzilla was raised. A proper resolution of the Bugzilla could be a "solution of errata" so that in the upcoming versions, the customers don't have to manually do this task of adding IP address ranges. So, can you please let me know what is the present status of the Bugzilla? Are we still working on this issue? Any expected timeline, when this issue will be resolved?
Let me know if you need any further data from the customer's environment?
So it looks like the actual software fix for this is tracked in a separate BZ. This BZ is related specifically to the documentation update, which is complete.
@Jason, Thank you for your proactive response and for sharing the correct link. As this BZ is related to the documentation update, which was completed, you can close this BZ.
Appreciate your kind efforts.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days