Feature Overview (aka. Goal Summary)  

There is no explicit ICMP protocol support in NetPol or MultiNetPol, which means we block all ICMP traffic between pods or VMs when there is a base level DENY ALL policy.

This Feature aims to enable ICMP (and other) protocol support, with fine-grain control. 

Goals (aka. expected user outcomes)

Customers want to leverage ICMP across the cluster for the purpose of network diagnostics, troubleshooting and health checking. In these use cases, they do not require fine grained access control of the ICMP protocol between pods or VMs as you would get with full ICMP protocol support in NetPol and MultiNetPol. They want to maintain ICMP access, irrespective of DENY ALL rules for TCP or UDP.

Requirements (aka. Acceptance Criteria):

• In cases where a customer wants ICMP across across the cluster and fine grained control of ICMP is not required, we offer a flag or an annotation to inject an OVN ACL to enable ICMP traffic across the SDN, irrespective of DENY ALL rules for TCP or UDP.
• This Feature prioritizes on-premises deployments of OpenShift, but is not limited to them. 
• This is a faster, short-term solution for customers with the immediate requirement.  The RFE for the full implementation is https://issues.redhat.com/browse/RFE-6896.
• A work-in-progress PR for this Feature is located here: https://github.com/ovn-kubernetes/ovn-kubernetes/pull/5247

Use Cases (Optional):

* 

Questions to Answer (Optional):

* 

Out of Scope

* 

Background

* 

Customer Considerations

• This is a shorter-term solution for customers needing functionality before the full implementation is complete.  The full implementation will be pursued via https://issues.redhat.com/browse/RFE-6896. __ 

Documentation Considerations

Interoperability Considerations