[OVN] Missing OVN ACLs for security groups that utilize remote groups attached to ports with allowed_address_pairs
Bug #1908382 reported by
Krzysztof Klimonda
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
High
|
Unassigned |
Bug Description
See mailing list thread started at http://
Bug discovered during magnum testing in ussuri, where pods deployed on different nodes could not communicate with each other - it has been traced to incorrect OVN ACLs for this specific scenario:
- neutron port with additional subnet added to allowed_
- security group created with a remote group set for both TCP and UDP, to allow traffic between subnet defined in allowed_
It resulted in TCP and UDP being dropped by OVN.
Changed in neutron: | |
importance: | Undecided → High |
status: | New → Confirmed |
tags: | added: ovn |
Changed in neutron: | |
status: | Confirmed → In Progress |
To post a comment you must log in.
one possible workaround to this issue in Magnum is to use Calico overlay. ipv4pool_ ipip=Always
Can be set with cluster template label:
calico_