Hairpin traffic blocked when NP is applied in OVN

Reviewed: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/786035
Committed: https://opendev.org/openstack/kuryr-kubernetes/commit/e84a6a707ebd4c3d75a9dce34394d065e6499bc9
Submitter: "Zuul (22348)"
Branch: master

commit e84a6a707ebd4c3d75a9dce34394d065e6499bc9
Author: Michał Dulko <email address hidden>
Date: Mon Apr 12 14:33:15 2021 +0200

    Fix NPs for OVN LBs with hairpin traffic

    In case of hairpin LB traffic (member of the LB calls the LB and the
    request is directed back to the same member) OVN replaces the source-ip
    of the request with the LB IP. This means that pods with network
    policies applied may have that traffic blocked when it should be
    allowed.

    To fix that this commit makes sure that SGs used for NPs include ingress
    rules for each of the Service in it's namespace. It's not ideal but
    seems to be a fair compromise between opening as little traffic as
    possible and increasing number of security groups and rules.

    As this commit makes sure all the NPs in the namespaces are reanalyzed
    every time a Service is created or deleted, a little fixes in order to
    support that are also made.

    Change-Id: I7e0458c4071e4a43ab4d158429e05c67cd897a3c
    Closes-Bug: 1923452

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/789871

Reviewed: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/789871
Committed: https://opendev.org/openstack/kuryr-kubernetes/commit/643effc3403bf80581588ea67136240eb36a54db
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 643effc3403bf80581588ea67136240eb36a54db
Author: Michał Dulko <email address hidden>
Date: Mon Apr 12 14:33:15 2021 +0200

    Fix NPs for OVN LBs with hairpin traffic

    In case of hairpin LB traffic (member of the LB calls the LB and the
    request is directed back to the same member) OVN replaces the source-ip
    of the request with the LB IP. This means that pods with network
    policies applied may have that traffic blocked when it should be
    allowed.

    To fix that this commit makes sure that SGs used for NPs include ingress
    rules for each of the Service in it's namespace. It's not ideal but
    seems to be a fair compromise between opening as little traffic as
    possible and increasing number of security groups and rules.

    As this commit makes sure all the NPs in the namespaces are reanalyzed
    every time a Service is created or deleted, a little fixes in order to
    support that are also made.

    Change-Id: I7e0458c4071e4a43ab4d158429e05c67cd897a3c
    Closes-Bug: 1923452
    (cherry picked from commit e84a6a707ebd4c3d75a9dce34394d065e6499bc9)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/790574

Change abandoned by "Michał Dulko <email address hidden>" on branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kuryr-kubernetes/+/790574

This issue was fixed in the openstack/kuryr-kubernetes 5.0.0.0rc1 release candidate.

This issue was fixed in the openstack/kuryr-kubernetes 4.0.1 release.