Loading...

XML

Word

Printable

Type: Feature
Resolution: Done
Priority: Major
Fix Version/s: openshift-4.13
Affects Version/s: None
Component/s: Core, Networking
Labels:

Activity Type:
Product / Portfolio Work
Parent Link:
None
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Size:
None

Target Version:

openshift-4.13
Release Blocker:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Priority Data:
None
PX Impact Score:
None
PX Technical Impact:
None
PX Impact Range:
None
PX Scheduling Request:
None
PX Technical Impact Notes:
None

Add the ability to create egress firewall rules based on nodes to allow host network access to specific nodes

Why is this important?

There is a difference between SDN and OVN's implementation of Egress Firewall where SDN implicitly allows services to bypass Egress Firewall. Some customers rely on this behavior in order to implicitly allow pods to reach services backed by host network pods. This traffic blocked by default today in OVN, and adding manual rules per host IP can be tedious.

See https://bugzilla.redhat.com/show_bug.cgi?id=1993841 for more info.

clones

CORENET-2270 Enhance EgressFirewall to include a nodeSelector for destinations

Closed

links to

https://github.com/openshift/cluster-network-operator/pull/1720

https://github.com/openshift/origin/pull/27824

https://github.com/ovn-org/ovn-kubernetes/pull/3002

Assignee:: Deepthi Dharwar (Inactive)

Reporter:: Tim Rozet

Need Info From:: None

Contributors:: None

Architect:: None

QA Contact:: Huiran Wang

Doc Contact:: None

Product Operations Engineering Contact:: Chris Fields

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2023/02/22 10:08 AM

Updated:: 2025/06/27 11:04 AM

Resolved:: 2023/04/26 8:26 PM