Description of problem:

During a 4.12->4.13->4.14 upgrade, in the 4.13 stage, the networkpolicies that allow traffic from the host network don't work, so each ingress controller pod (when the ingress controller is in the host network) can reach only the pods on the same node.

Network plugin is openshift-sdn

Version-Release number of selected component (if applicable):

4.13.48

How reproducible:

Not sure if always, but it could be reproduced both at customer side and in-house

Steps to Reproduce:

1. Upgrade in a concrete sequence

Actual results:

Allow from host network netpols don't work

Expected results:

Allow from host network netpols work

Additional info:

Checking in the audit logs, I don't see the labels of the project being deleted and re-added frequently, so this is not a regression of OCPBUGS-28920.

Checking on the internal reproducer cluster, it seems that the root cause of the failure is that openshift-sdn is creating the networkpolicy enforcement flows of table=80 using the real VNID of the openshift-host-network project instead of the VNID 0, which shouldn't be correct as per what I could understand from the source code.

More details in comments.