Include service subnet to be open for namespaceSelector set to all.

For OVN Ocatvia provider we need to include service subnet as well, otherwise we will end up in no connectivity to services from pods where network policy which define egress to all namespaces was applied. Change-Id: Ic1d1803c178a9b8375f2a08e021f0a046fd7ff02 Related-Bug: 1915008
openshift · Apr 8, 2021 · bfe2e25 · bfe2e25
1 parent 47c427d
commit bfe2e25
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/kuryr_kubernetes/controller/drivers/network_policy.py b/kuryr_kubernetes/controller/drivers/network_policy.py
@@ -204,9 +204,8 @@ def _parse_selectors(self, rule_block, rule_direction, policy_namespace):
                     # service subnet.
                     allowed_cidrs = utils.get_subnetpool_cidrs(
                         CONF.namespace_subnet.pod_subnet_pool)
-                    if CONF.octavia_defaults.enforce_sg_rules:
-                        allowed_cidrs.append(utils.get_subnet_cidr(
-                            CONF.neutron_defaults.service_subnet))
+                    allowed_cidrs.append(utils.get_subnet_cidr(
+                        CONF.neutron_defaults.service_subnet))
             elif namespace_selector:
                 selectors = True
                 if pod_selector: