Description of problem: Allow from hostnetwork policy should allow traffic to pods in a namespace from pods on host network. Currently such a policy works if network plugin in OVN but it does not work on SDN. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Create a project and create replicaset oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/list_for_pods.json 2. Create a default deny policy kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: default-deny spec: podSelector: {} 3.Create allow from hostnetwork policy apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-hostnetwork spec: ingress: - from: - namespaceSelector: matchLabels: policy-group.network.openshift.io/host-network: "" podSelector: {} policyTypes: - Ingress 4. rsh into multus on one of the master and curl IP address of the pod in the step #1 with its port Actual results: Do not get 200 OK response to curl request. Expected results: Expected to get 200 OK response to curl request. Additional info: http://ci-qe-openshift.usersys.redhat.com/userContent/cucushift/v3/2021/08/27/22:16:18/Check_allow_from_router_and_allow_from_hostnetwork_policy_are_functional_post_upgrade_-_prepare/console.html
I believe the feature is not supported for openshift-sdn. Aniket would know best, since he implemented the feature.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759