Description of problem: Due to a bug in ovn-kube, if an egressfirewall is created at almost the exact same time as the namespace, or if ovnkube is restarting and a namespace+egressfirewall are created, it is possible for the egress firewall to fail to be applied. This is due to a bug where when the events come, Egress Firewall tries to ensure the OVN address_set exists (because this event may have come before the namespace event, which also creates the address_set). However, the code was ensuring the wrong un-hashed address set name, and effectively creating an incorrect address set. Version-Release number of selected component (if applicable): 4.9 How reproducible: Not likely
Reproduced this bug on 4.9.0-0.nightly-2021-08-19-180334 1. Create namespaces z1 and pod 2. Create egressfirewall kind: EgressFirewall apiVersion: k8s.ovn.org/v1 metadata: name: default spec: egress: - type: Allow to: dnsName: www.test.com - type: Allow to: dnsName: yahoo.com ports: - protocol: TCP port: 80 - type: Deny to: cidrSelector: 0.0.0.0/0 3. rsh into ovn-master ovn-nbctl list address_set | grep name=z1_v4 _uuid : 8e9b4404-34cb-4554-9b47-f312d3b64619 addresses : [] external_ids : {name=z1} name : z1_v4 Verified this bug on 4.9.0-0.nightly-2021-08-24-203710 with same steps with above, we cannot see name: z1_v4
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759