-
Bug
-
Resolution: Done-Errata
-
Critical
-
None
-
4.12
-
+
-
No
-
SDN Sprint 233
-
1
-
Rejected
-
False
-
Description of problem:
when egress firewall is applied in a namespace which name is longer than 43 symbols, acl names gets cropped and all acls for the same egress firewall object are considered equivalent. It is a known problem that we faced for network policies too.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. Create egress firewall object with > 1 rule, e.g. kind: EgressFirewall apiVersion: k8s.ovn.org/v1 metadata: name: default spec: egress: - type: Allow to: cidrSelector: <pod ip>/32 - type: Deny to: cidrSelector: 0.0.0.0/0 2. Check only last rule is applied: all traffic will be dropped, even if you try to ping allowed <pod ip> 3. check in the nbdb there is only 1 egress firewall acl (should be 2 as the number of rules) ovn-nbctl find acl| grep egressFirewall=
Actual results:
Expected results:
Additional info:
- is cloned by
-
OCPBUGS-8471 [4.13] egress firewall only createas 1 acl for long namespace names
- Closed
- is depended on by
-
OCPBUGS-8471 [4.13] egress firewall only createas 1 acl for long namespace names
- Closed
- links to
-
RHEA-2023:5006 rpm