EgressFirewall doesn't take precedence over BaselineAdminNetworkPolicy
    

4.16.0-0.nightly-2024-05-19-083311

    

Always
    

    1.Created a test namespace and test pods
    2.Created an egressfirewall
apiVersion: v1
items:
- apiVersion: k8s.ovn.org/v1
  kind: EgressFirewall
  metadata:
    creationTimestamp: "2024-05-21T05:07:45Z"
    generation: 2
    name: default
    namespace: test
    resourceVersion: "60575"
    uid: 6b2c0a0e-80fa-44fd-80d3-e7fdd9d2107b
  spec:
    egress:
    - to:
        cidrSelector: 173.194.196.147/32
      type: Allow
    - to:
        cidrSelector: 0.0.0.0/0
      type: Deny
  status:
    messages:
    - 'hrw-0521a-8jzmk-worker-a-hdr26: EgressFirewall Rules applied'
    - 'hrw-0521a-8jzmk-worker-c-zbnlh: EgressFirewall Rules applied'
    - 'hrw-0521a-8jzmk-worker-b-x96nl: EgressFirewall Rules applied'
    - 'hrw-0521a-8jzmk-master-2.us-central1-a.c.openshift-qe.internal: EgressFirewall
      Rules applied'
    - 'hrw-0521a-8jzmk-master-1.us-central1-b.c.openshift-qe.internal: EgressFirewall
      Rules applied'
    - 'hrw-0521a-8jzmk-master-0.us-central1-c.c.openshift-qe.internal: EgressFirewall
      Rules applied'
    status: EgressFirewall Rules applied
kind: List
metadata:
  resourceVersion: ""
    3. From test pod to access allowed IP
% oc rsh -n test test-rc-44m4l
~ $ curl 173.194.196.147
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

4. Created a BANP 
% oc get banp -o yaml
apiVersion: v1
items:
- apiVersion: policy.networking.k8s.io/v1alpha1
  kind: BaselineAdminNetworkPolicy
  metadata:
    creationTimestamp: "2024-05-21T05:09:16Z"
    generation: 1
    name: default
    resourceVersion: "60729"
    uid: e7e7358e-9e4a-4679-b47d-0859795dc41e
  spec:
    egress:
    - action: Deny
      name: default-deny-egress
      to:
      - networks:
        - 0.0.0.0/0
    subject:
      namespaces:
        matchLabels:
          kubernetes.io/metadata.name: test
  status:
    conditions:
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-master-1.us-central1-b.c.openshift-qe.internal
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-master-0.us-central1-c.c.openshift-qe.internal
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-worker-a-hdr26
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-master-2.us-central1-a.c.openshift-qe.internal
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-worker-c-zbnlh
    - lastTransitionTime: "2024-05-21T05:09:16Z"
      message: Setting up OVN DB plumbing was successful
      reason: SetupSucceeded
      status: "True"
      type: Ready-In-Zone-hrw-0521a-8jzmk-worker-b-x96nl
kind: List
metadata:
  resourceVersion: ""

5. From test pod, access 173.194.196.147 again
    

% oc rsh -n test test-rc-44m4l        
~ $ curl 173.194.196.147 --connect-timeout 5
curl: (28) Connection timeout after 5001 ms

    

Should be able to access the allowed IP configured in EgressFirewall