Update matchLabels parameter in network-policy

[stevsmit]

For 4.7+

GH Issue: #38168

Pending QE ack:
@zhaozhanqi @anuragthehatter please review :) I am unsure if this is 100% correct.

Preview: https://deploy-preview-38283--osdocs.netlify.app/openshift-enterprise/latest/networking/network_policy/multitenant-network-policy.html

[netlify]

✔️ Deploy Preview for osdocs ready!

🔨 Explore the source changes: 46d080f

🔍 Inspect the deploy log: https://app.netlify.com/sites/osdocs/deploys/618aa6983280c10008b08db9

😎 Browse the preview: https://deploy-preview-38283--osdocs.netlify.app

[zhaozhanqi]

openshifg-ingress namespace have both two label network.openshift.io/policy-group=ingress and policy-group.network.openshift.io/ingress=. So using anyone is ok. @asood-rh ^^ help double confirm? thanks

[jboxman-rh]

@zhaozhanqi, I was told that the newer label is the preferred one to use now. However, which cluster network provider is used matters:

• https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-network-policy-host-network-ingress-controllers
• https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html#ocp-4-7-network-policy-host-network-ingress-controllers

So this seems to be 4.6+ for OVN-Kubernetes and 4.7+ for OpenShift SDN.

[asood-rh]

@jboxman-rh @stevsmit @zhaozhanqi

Jason has it right, new labels (policy-group.network.openshift.io/ingress: "" and policy-group.network.openshift.io/host-network: "") are supported on 4.6 OVN-Kubernetes but not on openshiftSDN. I did find two issues with the policy support where in one case old label with openshiftSDN does not work and one new label does not work with OVN-kubernetes
(Watch out for - https://bugzilla.redhat.com/show_bug.cgi?id=2019900 and https://bugzilla.redhat.com/show_bug.cgi?id=2019996)

4.7 inclusive and on wards all labels are supported and work.
policy-group.network.openshift.io/ingress: ""
policy-group.network.openshift.io/host-network: ""
network.openshift.io/policy-group: ingress

[asood-rh]

/lgtm

[jboxman-rh]

@stevsmit seems fine; My insight into this has drift somewhat in recent months. As long as it passes QE we're good to go for peer review I think.

[maxwelldb]

Left a comment. I don't think this does anything that is a rule violation, but happy to chat about alternative treatments.

[maxwelldb]

/lgtm

[maxwelldb]

/cherry-pick enterprise-4.7

[maxwelldb]

/cherry-pick enterprise-4.8

[maxwelldb]

/cherry-pick enterprise-4.9

[maxwelldb]

/cherry-pick enterprise-4.10

[openshift-cherrypick-robot]

@maxwelldb: new pull request created: #38534

Details

In response to this:

/cherry-pick enterprise-4.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@maxwelldb: new pull request created: #38535

Details

In response to this:

/cherry-pick enterprise-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@maxwelldb: new pull request created: #38536

Details

In response to this:

/cherry-pick enterprise-4.9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@maxwelldb: new pull request created: #38537

Details

In response to this:

/cherry-pick enterprise-4.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.