Document URL: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/networking/ovn-kubernetes-default-cni-network-provider
Section Number and Name:
14.2.2. Migrating to the OVN-Kubernetes default CNI network provider
Describe the issue:
Customer followed the instructions to switch the SDN on our OpenShift 4.7 cluster to OVN-Kubernetes. Everything went fine until he converted his EgressNetworkPolicy objects to EgressFirewall and then some components started failing to speak to the API server (including builds hanging).
1. On both customer old AWS cluster (4.7) that he converted to OVN-Kubernetes and a brand new AWS cluster (4.7) when he created EgressFirewall objects with a whitelist of allowed IPs access to the API server is blocked from pods in that projects. This is different to be behaviour of EgressNetworkPolicy, where access to the API server was implicitly granted. With EgressFirewall he need to manually add the IP addresses of the API servers, which is not documented and possibly fragile as they may change in the future.
2. This is quite difficult for him to do as the cluster is disconnected, but can supply a smaller amount of output.
3. EgressNetworkPolicy always allowed access to the API server. EgressFirewall doesn't. Therefore the two are not compatible. At the very least there needs to be a warning in the documentation.
Pablo Alonso Rodriguez also did some test in the cluster but the connection to the API fails , so confirmed the issue is there even for us
Suggestions for improvement: Needs some good explanation and describes about the compatibility , at least we need to have some warning message in the documentation
I've created a PR to include this in the product documentation. Did I suggest the correct IP ranges? Does a user need to interrogate their cluster for their own specific IP address ranges for this? Thanks!
Do we have any concrete update on this please ? so that i can update to the customer for the same
The Doc needs to be updated but we also have bug for OVN egressfirewall, as Huiran Wang mentioned API service IP should not be blocked by egressfirewall
Thanks in Advance for your help