• Goal of the card is to ensure pod can reach KAPI and DNS services sitting in the default network on top of the native isolation card.
• In the KEP we have two potential ways to achieve this:
  • Add routes for KAPI/DNS specifically into the pod to go out eth0, while all other service access will go to eth1. OR
  • Do not send any service traffic out of eth0, instead all service traffic goes to eth1. In this case all service traffic is flowing through the user-defined primary network, where only load balancers for that network are configured on that network's OVN worker switch. Therefore, packets to KAPI/DNS (services not on this network) are not DNAT'ed at the worker switch and are instead forwarded onwards to the ovn_cluster_router_<user-defined network>. This router is configured to send service CIDR traffic to ovn-k8s-mp0-<user-defined network>. IPTables rules in the host only permit access to KAPI/DNS and drop all other service traffic coming from ovn-k8s-mp0-<user-defined network>. The traffic then gets routed to br-ex and default GR where it hits the OVN load balancer there and forwarded to the right endpoint.

Discuss, choose one of these, nail the implementation, add tests, add docs