Comment 11 for bug 1827246

OpenStack is not a platform service and should not be exposed via the OAM firewall by default. When OpenStack is installed, the either with http or https enabled, then the appropriate GlobalNetworkPolicy should be configured to enable access to that port via the OAM network.

Example Policy:

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: allow-openstack-endpoints
spec:
  ingress:
  - action: Allow
    destination:
      ports:
      - 80
    protocol: TCP
  order: 500
  selector: has(iftype) && iftype == 'oam'
  types:
  - Ingress