Merge pull request #92756 from JoeAldinger/OCPBUGS55471-4.16

JoeAldinger · web-flow · commit 40328f2a5c9c · 2025-05-01T19:07:22.000-04:00
OCPBUGS55471-4.16:adds external IP to migration docs
diff --git a/modules/nw-external-ip-ovn-k.adoc b/modules/nw-external-ip-ovn-k.adoc
@@ -0,0 +1,18 @@
+// Module included in the following assemblies:
+// * networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="nw-external-ip-ovn-k_{context}"]
+= Understanding changes to external IP behavior in OVN-Kubernetes
+
+When migrating from OpenShift SDN to OVN-Kubernetes (OVN-K), services that use external IPs might become inaccessible across namespaces due to network policy enforcement.
+
+In OpenShift SDN, external IPs were accessible across namespaces by default. However, in OVN-K, network policies strictly enforce multitenant isolation, preventing access to services exposed via external IPs from other namespaces.
+
+To ensure access, consider the following alternatives:
+
+* Use an ingress or route: Instead of exposing services by using external IPs, configure an ingress or route to allow external access while maintaining security controls.
+
+* Adjust the `NetworkPolicy` custom resource (CR): Modify a `NetworkPolicy` CR to explicitly allow access from required namespaces and ensure that traffic is allowed to the designated service ports. Without explicitly allowing traffic to the required ports, access might still be blocked, even if the namespace is allowed.
+
+* Use a `LoadBalancer` service: If applicable, deploy a `LoadBalancer` service instead of relying on external IPs. For more information about configuring see "NetworkPolicy and external IPs in OVN-Kubernetes".
diff --git a/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc b/networking/ovn_kubernetes_network_provider/migrate-from-openshift-sdn.adoc
@@ -130,3 +130,10 @@ include::modules/nw-network-plugin-migration-process.adoc[leveloffset=+2]
 
 // Migrating to the OVN-Kubernetes network plugin by using the offline migration method
 include::modules/nw-ovn-kubernetes-migration.adoc[leveloffset=+2]
+
+//External IP behavior difference between SDN and OVN-K
+include::modules/nw-external-ip-ovn-k.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../../networking/network_security/network_policy/about-network-policy.adoc#nw-networkpolicy-external-ip-ovn_about-network-policy[NetworkPolicy and external IPs in OVN-Kubernetes].
