Parameters to enable network policy ACL logging are missing in network.operator on a Red Hat OpenShift Container Platform cluster that was upgraded from 4.7 to a higher version

Solution Verified - Updated -

Issue

When upgrading a Red Hat OpenShift Container Platform 4.7 (or below) cluster to version 4.8 (or higher), the parameters to enable network policy ACL logging are missing in the network.operator custom resource named cluster. Due to the missing configuration in network.operator, annotating namespaces with the k8s.ovn.org/acl-logging annotation will not enable policy logging.

A cluster that was upgraded from 4.7 to 4.8 will lack section .spec.defaultNetwork.ovnKubernetesConfig.policyAuditConfig:

$ oc get network.operator cluster -o yaml
apiVersion: operator.openshift.io/v1
kind: Network
metadata:
(...)
  name: cluster
(...)
spec:
(...)
  defaultNetwork:
    ovnKubernetesConfig:
      genevePort: 6081
      mtu: 8901
(...)

Whereas on a new installation with 4.8 and above, the section is present:

$ oc get network.operator cluster -o yaml
apiVersion: operator.openshift.io/v1
kind: Network
metadata:
(...)
  name: cluster
(...)
spec:
(...)
  defaultNetwork:
    ovnKubernetesConfig:
      genevePort: 6081
      mtu: 8901
      policyAuditConfig:
        destination: "null"
        maxFileSize: 50
        rateLimit: 20
        syslogFacility: local0
(....)

Environment

Red Hat OpenShift Container Platform cluster that was upgraded from 4.7 (or below) to any higher version

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content