From 3f56cb09e29bcc88c764d9dbf3f312a80477a489 Mon Sep 17 00:00:00 2001 From: weliang1 Date: Wed, 10 Jun 2026 10:32:10 -0400 Subject: [PATCH] Add ovn-k8s-cni-overlay to multus-networkpolicy allowed plugins MultiNetworkPolicy is not enforced on UDN (User Defined Network) secondary interfaces in OCP 5.0 due to architectural changes from 4.22. In OCP 4.22, MultiNetworkPolicy was integrated into ovnkube-controller with native UDN support. In OCP 5.0, it was separated into a standalone multus-networkpolicy daemonset that validates CNI types against an allowlist. UDN networks use CNI type "ovn-k8s-cni-overlay" which is missing from the --network-plugins allowlist, causing UDN networks to be silently rejected and policies to never be enforced. Test Results: - OCP 4.22: Test 78259 PASSES (native OVN-K integration) - OCP 5.0: Test 78259 FAILS (missing ovn-k8s-cni-overlay in allowlist) Affected tests: - OCP-77656: UDN Layer2 Secondary + Ingress ipBlock policy - OCP-78125: UDN Layer2 Secondary + Egress ipBlock policy - OCP-78259: UDN Layer3 Secondary + Egress ipBlock policy This fix restores UDN MultiNetworkPolicy functionality in the new 5.0 separated architecture by adding ovn-k8s-cni-overlay to the allowed network plugins list. Follows same pattern as PR #1443 which added sriov support. Co-Authored-By: Claude Sonnet 4.5 --- bindata/network/multus-networkpolicy/multus-networkpolicy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bindata/network/multus-networkpolicy/multus-networkpolicy.yaml b/bindata/network/multus-networkpolicy/multus-networkpolicy.yaml index a1ead1ff08..e76159e772 100644 --- a/bindata/network/multus-networkpolicy/multus-networkpolicy.yaml +++ b/bindata/network/multus-networkpolicy/multus-networkpolicy.yaml @@ -36,7 +36,7 @@ spec: args: - "--host-prefix=/host" - "--container-runtime-endpoint=/run/crio/crio.sock" - - "--network-plugins=macvlan,sriov,ipvlan,bond" + - "--network-plugins=macvlan,sriov,ipvlan,bond,ovn-k8s-cni-overlay" - "--custom-v6-ingress-rule-file=/etc/multi-networkpolicy/rules/custom-v6-rules.txt" - "--custom-v6-egress-rule-file=/etc/multi-networkpolicy/rules/custom-v6-rules.txt" - "--hostname-override=$(K8S_NODE_NAME)"