Skip handling NetPol events on non primary networks

When primary UDN exists for the namespace, the current implementation configured
network policy for both UDN and default network. The default network traffic
has its own ACLs that deny almost everything already so handling network policy
for default is unnecessary and not an optimal solution as it programs another
set of port groups, acls and address sets which are never going to be used.
Hence this commit skips handling network policy events on the base network
controller when there is a mismatch on active primary network.

Signed-off-by: Periyasamy Palanisamy <[email protected]>

go-controller/pkg/ovn/base_network_controller.go

@@ -941,7 +941,13 @@ func (bnc *BaseNetworkController) AddResourceCommon(objType reflect.Type, obj in
 		if !ok {
 			return fmt.Errorf("could not cast %T object to *knet.NetworkPolicy", obj)
 		}
-
+		netinfo, err := bnc.getActiveNetworkForNamespace(np.Namespace)
+		if err != nil {
+			return fmt.Errorf("could not get active network for namespace %s: %v", np.Namespace, err)
+		}
+		if bnc.GetNetworkName() != netinfo.GetNetworkName() {
+			return nil
+		}
 		if err := bnc.addNetworkPolicy(np); err != nil {
 			klog.Infof("Network Policy add failed for %s/%s, will try again later: %v",
 				np.Namespace, np.Name, err)
@@ -960,6 +966,13 @@ func (bnc *BaseNetworkController) DeleteResourceCommon(objType reflect.Type, obj
 		if !ok {
 			return fmt.Errorf("could not cast obj of type %T to *knet.NetworkPolicy", obj)
 		}
+		netinfo, err := bnc.getActiveNetworkForNamespace(knp.Namespace)
+		if err != nil {
+			return fmt.Errorf("could not get active network for namespace %s: %v", knp.Namespace, err)
+		}
+		if bnc.GetNetworkName() != netinfo.GetNetworkName() {
+			return nil
+		}
 		return bnc.deleteNetworkPolicy(knp)
 	default:
 		klog.Errorf("Can not process delete resource event, object type %s is not supported", objType)