Merge pull request #5202 from npinaeva/udn-acl-tier

tssurya · web-flow · commit 176d15299466 · 2025-07-15T20:19:12.000+02:00
UDN isolation: move ACLs to the higher-prio Primary tier
diff --git a/go-controller/pkg/libovsdb/util/acl.go b/go-controller/pkg/libovsdb/util/acl.go
@@ -88,11 +88,18 @@ func GetACLName(dbIDs *libovsdbops.DbObjectIDs) string {
 	return fmt.Sprintf("%.63s", aclName)
 }
 
+// BuildACLWithDefaultTier is used for the most ACL-related features with the default ACL tier.
+// That includes egress firewall, network policy, multicast.
+func BuildACLWithDefaultTier(dbIDs *libovsdbops.DbObjectIDs, priority int, match, action string, logLevels *ACLLoggingLevels,
+	aclT ACLPipelineType) *nbdb.ACL {
+	return BuildACL(dbIDs, priority, match, action, logLevels, aclT, types.DefaultACLTier)
+}
+
 // BuildACL should be used to build ACL instead of directly calling libovsdbops.BuildACL.
 // It can properly set and reset log settings for ACL based on ACLLoggingLevels, and
 // set acl.Name and acl.ExternalIDs based on given DbIDs
 func BuildACL(dbIDs *libovsdbops.DbObjectIDs, priority int, match, action string, logLevels *ACLLoggingLevels,
-	aclT ACLPipelineType) *nbdb.ACL {
+	aclT ACLPipelineType, tier int) *nbdb.ACL {
 	var options map[string]string
 	var direction string
 	switch aclT {
@@ -122,14 +129,13 @@ func BuildACL(dbIDs *libovsdbops.DbObjectIDs, priority int, match, action string
 		log,
 		externalIDs,
 		options,
-		types.DefaultACLTier,
+		tier,
 	)
 	return ACL
 }
 
 func BuildANPACL(dbIDs *libovsdbops.DbObjectIDs, priority int, match, action string, aclT ACLPipelineType, logLevels *ACLLoggingLevels) *nbdb.ACL {
-	anpACL := BuildACL(dbIDs, priority, match, action, logLevels, aclT)
-	anpACL.Tier = GetACLTier(dbIDs)
+	anpACL := BuildACL(dbIDs, priority, match, action, logLevels, aclT, GetACLTier(dbIDs))
 	return anpACL
 }
 
diff --git a/go-controller/pkg/ovn/admin_network_policy_test.go b/go-controller/pkg/ovn/admin_network_policy_test.go
@@ -94,7 +94,7 @@ func getANPGressACL(action, anpName, direction string, rulePriority int32,
 	ruleIndex int32, ports *[]anpapi.AdminNetworkPolicyPort,
 	namedPorts map[string][]libovsdbutil.NamedNetworkPolicyPort, banp bool) []*nbdb.ACL {
 	retACLs := []*nbdb.ACL{}
-	// we are not using BuildACL and instead manually building it on purpose so that the code path for BuildACL is also tested
+	// we are not using BuildACLWithDefaultTier and instead manually building it on purpose so that the code path for BuildACLWithDefaultTier is also tested
 	acl := nbdb.ACL{}
 	acl.Action = action
 	acl.Severity = nil
diff --git a/go-controller/pkg/ovn/base_network_controller_multicast.go b/go-controller/pkg/ovn/base_network_controller_multicast.go
@@ -119,13 +119,13 @@ func (bnc *BaseNetworkController) createMulticastAllowPolicy(ns string, nsInfo *
 	egressMatch := libovsdbutil.GetACLMatch(portGroupName, bnc.getMulticastACLEgrMatch(), aclDir)
 	dbIDs := getNamespaceMcastACLDbIDs(ns, aclDir, bnc.controllerName)
 	aclPipeline := libovsdbutil.ACLDirectionToACLPipeline(aclDir)
-	egressACL := libovsdbutil.BuildACL(dbIDs, types.DefaultMcastAllowPriority, egressMatch, nbdb.ACLActionAllow, nil, aclPipeline)
+	egressACL := libovsdbutil.BuildACLWithDefaultTier(dbIDs, types.DefaultMcastAllowPriority, egressMatch, nbdb.ACLActionAllow, nil, aclPipeline)
 
 	aclDir = libovsdbutil.ACLIngress
 	ingressMatch := libovsdbutil.GetACLMatch(portGroupName, bnc.getMulticastACLIgrMatch(nsInfo), aclDir)
 	dbIDs = getNamespaceMcastACLDbIDs(ns, aclDir, bnc.controllerName)
 	aclPipeline = libovsdbutil.ACLDirectionToACLPipeline(aclDir)
-	ingressACL := libovsdbutil.BuildACL(dbIDs, types.DefaultMcastAllowPriority, ingressMatch, nbdb.ACLActionAllow, nil, aclPipeline)
+	ingressACL := libovsdbutil.BuildACLWithDefaultTier(dbIDs, types.DefaultMcastAllowPriority, ingressMatch, nbdb.ACLActionAllow, nil, aclPipeline)
 
 	acls := []*nbdb.ACL{egressACL, ingressACL}
 	ops, err := libovsdbops.CreateOrUpdateACLsOps(bnc.nbClient, nil, bnc.GetSamplingConfig(), acls...)
@@ -186,7 +186,7 @@ func (bnc *BaseNetworkController) createDefaultDenyMulticastPolicy() error {
 	for _, aclDir := range []libovsdbutil.ACLDirection{libovsdbutil.ACLEgress, libovsdbutil.ACLIngress} {
 		dbIDs := getDefaultMcastACLDbIDs(mcastDefaultDenyID, aclDir, bnc.controllerName)
 		aclPipeline := libovsdbutil.ACLDirectionToACLPipeline(aclDir)
-		acl := libovsdbutil.BuildACL(dbIDs, types.DefaultMcastDenyPriority, match, nbdb.ACLActionDrop, nil, aclPipeline)
+		acl := libovsdbutil.BuildACLWithDefaultTier(dbIDs, types.DefaultMcastDenyPriority, match, nbdb.ACLActionDrop, nil, aclPipeline)
 		acls = append(acls, acl)
 	}
 	ops, err := libovsdbops.CreateOrUpdateACLsOps(bnc.nbClient, nil, bnc.GetSamplingConfig(), acls...)
@@ -228,7 +228,7 @@ func (bnc *BaseNetworkController) createDefaultAllowMulticastPolicy() error {
 		match := libovsdbutil.GetACLMatch(rtrPGName, mcastMatch, aclDir)
 		dbIDs := getDefaultMcastACLDbIDs(mcastAllowInterNodeID, aclDir, bnc.controllerName)
 		aclPipeline := libovsdbutil.ACLDirectionToACLPipeline(aclDir)
-		acl := libovsdbutil.BuildACL(dbIDs, types.DefaultMcastAllowPriority, match, nbdb.ACLActionAllow, nil, aclPipeline)
+		acl := libovsdbutil.BuildACLWithDefaultTier(dbIDs, types.DefaultMcastAllowPriority, match, nbdb.ACLActionAllow, nil, aclPipeline)
 		acls = append(acls, acl)
 	}
 
diff --git a/go-controller/pkg/ovn/base_network_controller_policy.go b/go-controller/pkg/ovn/base_network_controller_policy.go
@@ -252,11 +252,11 @@ func (bnc *BaseNetworkController) addHairpinAllowACL() error {
 	}
 
 	ingressACLIDs := bnc.getNetpolDefaultACLDbIDs(string(knet.PolicyTypeIngress))
-	ingressACL := libovsdbutil.BuildACL(ingressACLIDs, types.DefaultAllowPriority, match,
+	ingressACL := libovsdbutil.BuildACLWithDefaultTier(ingressACLIDs, types.DefaultAllowPriority, match,
 		nbdb.ACLActionAllowRelated, nil, libovsdbutil.LportIngress)
 
 	egressACLIDs := bnc.getNetpolDefaultACLDbIDs(string(knet.PolicyTypeEgress))
-	egressACL := libovsdbutil.BuildACL(egressACLIDs, types.DefaultAllowPriority, match,
+	egressACL := libovsdbutil.BuildACLWithDefaultTier(egressACLIDs, types.DefaultAllowPriority, match,
 		nbdb.ACLActionAllowRelated, nil, libovsdbutil.LportEgressAfterLB)
 
 	ops, err := libovsdbops.CreateOrUpdateACLsOps(bnc.nbClient, nil, nil, ingressACL, egressACL)
@@ -335,7 +335,7 @@ func (bnc *BaseNetworkController) addAllowACLFromNode(switchName string, mgmtPor
 	}
 	match := fmt.Sprintf("%s.src==%s", ipFamily, mgmtPortIP.String())
 	dbIDs := getAllowFromNodeACLDbIDs(switchName, mgmtPortIP.String(), bnc.controllerName)
-	nodeACL := libovsdbutil.BuildACL(dbIDs, types.DefaultAllowPriority, match,
+	nodeACL := libovsdbutil.BuildACLWithDefaultTier(dbIDs, types.DefaultAllowPriority, match,
 		nbdb.ACLActionAllowRelated, nil, libovsdbutil.LportIngress)
 
 	ops, err := libovsdbops.CreateOrUpdateACLsOps(bnc.nbClient, nil, bnc.GetSamplingConfig(), nodeACL)
@@ -388,9 +388,9 @@ func (bnc *BaseNetworkController) buildDenyACLs(namespace, pgName string, aclLog
 	allowMatch := libovsdbutil.GetACLMatch(pgName, arpAllowPolicyMatch, aclDir)
 	aclPipeline := libovsdbutil.ACLDirectionToACLPipeline(aclDir)
 
-	denyACL = libovsdbutil.BuildACL(bnc.getDefaultDenyPolicyACLIDs(namespace, aclDir, defaultDenyACL),
+	denyACL = libovsdbutil.BuildACLWithDefaultTier(bnc.getDefaultDenyPolicyACLIDs(namespace, aclDir, defaultDenyACL),
 		types.DefaultDenyPriority, denyMatch, nbdb.ACLActionDrop, aclLogging, aclPipeline)
-	allowACL = libovsdbutil.BuildACL(bnc.getDefaultDenyPolicyACLIDs(namespace, aclDir, arpAllowACL),
+	allowACL = libovsdbutil.BuildACLWithDefaultTier(bnc.getDefaultDenyPolicyACLIDs(namespace, aclDir, arpAllowACL),
 		types.DefaultAllowPriority, allowMatch, nbdb.ACLActionAllow, nil, aclPipeline)
 	return
 }
diff --git a/go-controller/pkg/ovn/egressfirewall.go b/go-controller/pkg/ovn/egressfirewall.go
@@ -467,7 +467,7 @@ func (oc *DefaultNetworkController) addEgressFirewallRules(ef *egressFirewall, p
 func (oc *DefaultNetworkController) createEgressFirewallACLOps(ops []ovsdb.Operation, ruleIdx int, match, action, namespace, pgName string, aclLogging *libovsdbutil.ACLLoggingLevels) ([]ovsdb.Operation, error) {
 	aclIDs := oc.getEgressFirewallACLDbIDs(namespace, ruleIdx)
 	priority := types.EgressFirewallStartPriority - ruleIdx
-	egressFirewallACL := libovsdbutil.BuildACL(
+	egressFirewallACL := libovsdbutil.BuildACLWithDefaultTier(
 		aclIDs,
 		priority,
 		match,
diff --git a/go-controller/pkg/ovn/gateway_test.go b/go-controller/pkg/ovn/gateway_test.go
@@ -43,7 +43,7 @@ func generateAdvertisedUDNIsolationExpectedNB(testData []libovsdbtest.TestData,
 		passMatches = append(passMatches, fmt.Sprintf("(%s.src == %s && %s.dst == %s)", ipPrefix, subnet, ipPrefix, subnet))
 
 	}
-	passACL := libovsdbutil.BuildACL(
+	passACL := libovsdbutil.BuildACLWithDefaultTier(
 		GetAdvertisedNetworkSubnetsPassACLdbIDs(DefaultNetworkControllerName, networkName, networkID),
 		types.AdvertisedNetworkPassPriority,
 		strings.Join(passMatches, " || "),
diff --git a/go-controller/pkg/ovn/gress_policy.go b/go-controller/pkg/ovn/gress_policy.go
@@ -288,7 +288,7 @@ func (gp *gressPolicy) buildLocalPodACLs(portGroupName string, aclLogging *libov
 			ipBlockMatches := gp.getMatchFromIPBlock(lportMatch, l4Match)
 			for ipBlockIdx, ipBlockMatch := range ipBlockMatches {
 				aclIDs := gp.getNetpolACLDbIDs(ipBlockIdx, protocol)
-				acl := libovsdbutil.BuildACL(aclIDs, types.DefaultAllowPriority, ipBlockMatch, action,
+				acl := libovsdbutil.BuildACLWithDefaultTier(aclIDs, types.DefaultAllowPriority, ipBlockMatch, action,
 					aclLogging, gp.aclPipeline)
 				createdACLs = append(createdACLs, acl)
 			}
@@ -309,7 +309,7 @@ func (gp *gressPolicy) buildLocalPodACLs(portGroupName string, aclLogging *libov
 				addrSetMatch = fmt.Sprintf("%s && %s && %s", l3Match, l4Match, lportMatch)
 			}
 			aclIDs := gp.getNetpolACLDbIDs(emptyIdx, protocol)
-			acl := libovsdbutil.BuildACL(aclIDs, types.DefaultAllowPriority, addrSetMatch, action,
+			acl := libovsdbutil.BuildACLWithDefaultTier(aclIDs, types.DefaultAllowPriority, addrSetMatch, action,
 				aclLogging, gp.aclPipeline)
 			if l3Match == "" {
 				// if l3Match is empty, then no address sets are selected for a given gressPolicy.
diff --git a/go-controller/pkg/ovn/udn_isolation.go b/go-controller/pkg/ovn/udn_isolation.go
@@ -30,6 +30,8 @@ const (
 	DenySecondaryACL      = "DenySecondary"
 	// OpenPortACLPrefix is used to build per-pod ACLs, pod name should be added to the prefix to build a unique name
 	OpenPortACLPrefix = "OpenPort-"
+	// the same tier is used for all UDN isolation ACLs
+	isolationTier = types.PrimaryACLTier
 )
 
 // setupUDNACLs should be called after the node's management port was configured
@@ -63,7 +65,8 @@ func (oc *DefaultNetworkController) setupUDNACLs(mgmtPortIPs []net.IP) error {
 	pgName := libovsdbutil.GetPortGroupName(pgIDs)
 	egressDenyIDs := oc.getUDNACLDbIDs(DenySecondaryACL, libovsdbutil.ACLEgress)
 	match := libovsdbutil.GetACLMatch(pgName, "", libovsdbutil.ACLEgress)
-	egressDenyACL := libovsdbutil.BuildACL(egressDenyIDs, types.PrimaryUDNDenyPriority, match, nbdb.ACLActionDrop, nil, libovsdbutil.LportEgress)
+	egressDenyACL := libovsdbutil.BuildACL(egressDenyIDs, types.PrimaryUDNDenyPriority, match, nbdb.ACLActionDrop,
+		nil, libovsdbutil.LportEgress, isolationTier)
 
 	getARPMatch := func(direction libovsdbutil.ACLDirection) string {
 		match := "("
@@ -89,15 +92,18 @@ func (oc *DefaultNetworkController) setupUDNACLs(mgmtPortIPs []net.IP) error {
 
 	egressARPIDs := oc.getUDNACLDbIDs(AllowHostARPACL, libovsdbutil.ACLEgress)
 	match = libovsdbutil.GetACLMatch(pgName, getARPMatch(libovsdbutil.ACLEgress), libovsdbutil.ACLEgress)
-	egressARPACL := libovsdbutil.BuildACL(egressARPIDs, types.PrimaryUDNAllowPriority, match, nbdb.ACLActionAllow, nil, libovsdbutil.LportEgress)
+	egressARPACL := libovsdbutil.BuildACL(egressARPIDs, types.PrimaryUDNAllowPriority, match, nbdb.ACLActionAllow,
+		nil, libovsdbutil.LportEgress, isolationTier)
 
 	ingressDenyIDs := oc.getUDNACLDbIDs(DenySecondaryACL, libovsdbutil.ACLIngress)
 	match = libovsdbutil.GetACLMatch(pgName, "", libovsdbutil.ACLIngress)
-	ingressDenyACL := libovsdbutil.BuildACL(ingressDenyIDs, types.PrimaryUDNDenyPriority, match, nbdb.ACLActionDrop, nil, libovsdbutil.LportIngress)
+	ingressDenyACL := libovsdbutil.BuildACL(ingressDenyIDs, types.PrimaryUDNDenyPriority, match, nbdb.ACLActionDrop,
+		nil, libovsdbutil.LportIngress, isolationTier)
 
 	ingressARPIDs := oc.getUDNACLDbIDs(AllowHostARPACL, libovsdbutil.ACLIngress)
 	match = libovsdbutil.GetACLMatch(pgName, getARPMatch(libovsdbutil.ACLIngress), libovsdbutil.ACLIngress)
-	ingressARPACL := libovsdbutil.BuildACL(ingressARPIDs, types.PrimaryUDNAllowPriority, match, nbdb.ACLActionAllow, nil, libovsdbutil.LportIngress)
+	ingressARPACL := libovsdbutil.BuildACL(ingressARPIDs, types.PrimaryUDNAllowPriority, match, nbdb.ACLActionAllow,
+		nil, libovsdbutil.LportIngress, isolationTier)
 
 	ingressAllowIDs := oc.getUDNACLDbIDs(AllowHostSecondaryACL, libovsdbutil.ACLIngress)
 	match = "("
@@ -114,7 +120,8 @@ func (oc *DefaultNetworkController) setupUDNACLs(mgmtPortIPs []net.IP) error {
 	}
 	match += ")"
 	match = libovsdbutil.GetACLMatch(pgName, match, libovsdbutil.ACLIngress)
-	ingressAllowACL := libovsdbutil.BuildACL(ingressAllowIDs, types.PrimaryUDNAllowPriority, match, nbdb.ACLActionAllowRelated, nil, libovsdbutil.LportIngress)
+	ingressAllowACL := libovsdbutil.BuildACL(ingressAllowIDs, types.PrimaryUDNAllowPriority, match, nbdb.ACLActionAllowRelated,
+		nil, libovsdbutil.LportIngress, isolationTier)
 
 	ops, err := libovsdbops.CreateOrUpdateACLsOps(oc.nbClient, nil, oc.GetSamplingConfig(), egressDenyACL, egressARPACL, ingressARPACL, ingressDenyACL, ingressAllowACL)
 	if err != nil {
@@ -200,11 +207,11 @@ func (oc *DefaultNetworkController) setUDNPodOpenPortsOps(podNamespacedName stri
 	// don't return on parseErr, as we need to cleanup potentially present ACLs from the previous config
 	ingressIDs := oc.getUDNOpenPortDbIDs(podNamespacedName, libovsdbutil.ACLIngress)
 	ingressACL := libovsdbutil.BuildACL(ingressIDs, types.PrimaryUDNAllowPriority,
-		ingressMatch, nbdb.ACLActionAllowRelated, nil, libovsdbutil.LportIngress)
+		ingressMatch, nbdb.ACLActionAllowRelated, nil, libovsdbutil.LportIngress, isolationTier)
 
 	egressIDs := oc.getUDNOpenPortDbIDs(podNamespacedName, libovsdbutil.ACLEgress)
 	egressACL := libovsdbutil.BuildACL(egressIDs, types.PrimaryUDNAllowPriority,
-		egressMatch, nbdb.ACLActionAllow, nil, libovsdbutil.LportEgress)
+		egressMatch, nbdb.ACLActionAllow, nil, libovsdbutil.LportEgress, isolationTier)
 
 	var err error
 	if ingressMatch == "" && egressMatch == "" || parseErr != nil {
@@ -288,8 +295,8 @@ func BuildAdvertisedNetworkSubnetsDropACL(advertisedNetworkSubnetsAddressSet add
 		strings.Join(dropMatches, " || "),
 		nbdb.ACLActionDrop,
 		nil,
-		libovsdbutil.LportEgressAfterLB)
-	dropACL.Tier = types.PrimaryACLTier
+		libovsdbutil.LportEgressAfterLB,
+		isolationTier)
 	return dropACL
 }
 
@@ -331,8 +338,8 @@ func (bnc *BaseNetworkController) addAdvertisedNetworkIsolation(nodeName string)
 			strings.Join(passMatches, " || "),
 			nbdb.ACLActionPass,
 			nil,
-			libovsdbutil.LportEgressAfterLB)
-		passACL.Tier = types.PrimaryACLTier
+			libovsdbutil.LportEgressAfterLB,
+			isolationTier)
 
 		ops, err = libovsdbops.CreateOrUpdateACLsOps(bnc.nbClient, ops, nil, passACL)
 		if err != nil {
diff --git a/go-controller/pkg/ovn/udn_isolation_test.go b/go-controller/pkg/ovn/udn_isolation_test.go
@@ -0,0 +1,53 @@
+package ovn
+
+import (
+	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/config"
+	libovsdbops "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/libovsdb/ops"
+	libovsdbutil "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/libovsdb/util"
+	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/nbdb"
+	libovsdbtest "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/testing/libovsdb"
+	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/types"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("UDN Isolation", func() {
+	BeforeEach(func() {
+		Expect(config.PrepareTestConfig()).To(Succeed())
+	})
+
+	It("ACLs should be updated to the Primary tier ", func() {
+		config.OVNKubernetesFeature.EnableMultiNetwork = true
+		config.OVNKubernetesFeature.EnableNetworkSegmentation = true
+		fakeController := getFakeController(DefaultNetworkControllerName)
+
+		// build port group with one ACL that has default tier
+		pgIDs := fakeController.getSecondaryPodsPortGroupDbIDs()
+		pgName := libovsdbutil.GetPortGroupName(pgIDs)
+		egressDenyIDs := fakeController.getUDNACLDbIDs(DenySecondaryACL, libovsdbutil.ACLEgress)
+		match := libovsdbutil.GetACLMatch(pgName, "", libovsdbutil.ACLEgress)
+		// in the real code we use BuildACL here instead of BuildACLWithDefaultTier
+		egressDenyACL := libovsdbutil.BuildACLWithDefaultTier(egressDenyIDs, types.PrimaryUDNDenyPriority, match, nbdb.ACLActionDrop,
+			nil, libovsdbutil.LportEgress)
+		// required to make sure port group correctly references the ACL
+		egressDenyACL.UUID = egressDenyIDs.String() + "-UUID"
+		pg := libovsdbutil.BuildPortGroup(pgIDs, nil, []*nbdb.ACL{egressDenyACL})
+
+		nbClient, nbCleanup, err := libovsdbtest.NewNBTestHarness(libovsdbtest.TestSetup{
+			NBData: []libovsdbtest.TestData{egressDenyACL, pg},
+		}, nil)
+		Expect(err).NotTo(HaveOccurred())
+		defer nbCleanup.Cleanup()
+		fakeController.nbClient = nbClient
+
+		// now run the setupUDNACLs function which should create all ACLs and update the existing ACLs to the Primary tier
+		Expect(fakeController.setupUDNACLs(nil)).To(Succeed())
+
+		// verify that the egressDenyACL is updated to the Primary 0
+		acls, err := libovsdbops.FindACLs(nbClient, []*nbdb.ACL{egressDenyACL})
+		Expect(err).NotTo(HaveOccurred())
+		Expect(acls).To(HaveLen(1))
+		Expect(acls[0].Tier).To(Equal(types.PrimaryACLTier))
+	})
+})
diff --git a/go-controller/pkg/types/const.go b/go-controller/pkg/types/const.go
@@ -74,7 +74,7 @@ const (
 	TransitSwitchToRouterPrefix = "tstor-"
 	RouterToTransitSwitchPrefix = "rtots-"
 
-	// ACL Default Tier Priorities
+	// DefaultACLTier Priorities
 
 	// Default routed multicast allow acl rule priority
 	DefaultRoutedMcastAllowPriority = 1013
@@ -91,16 +91,15 @@ const (
 	// Deny priority for isolated advertised networks
 	AdvertisedNetworkDenyPriority = 1050
 
-	// ACL PlaceHolderACL Tier Priorities
+	// PrimaryACLTier Priorities
+
 	PrimaryUDNAllowPriority = 1001
 	// Default deny acl rule priority
 	PrimaryUDNDenyPriority = 1000
 
 	// ACL Tiers
 	// Tier 0 is called Primary as it is evaluated before any other feature-related Tiers.
 	// Currently used for User Defined Network Feature.
-	// NOTE: When we upgrade from an OVN version without tiers to the new version with
-	// tiers, all values in the new ACL.Tier column will be set to 0.
 	PrimaryACLTier = 0
 	// Default Tier for all ACLs
 	DefaultACLTier = 2
diff --git a/test/e2e/network_segmentation.go b/test/e2e/network_segmentation.go
@@ -876,12 +876,13 @@ var _ = Describe("Network Segmentation", feature.NetworkSegmentation, func() {
 					cidr:     correctCIDRFamily(userDefinedNetworkIPv4Subnet, userDefinedNetworkIPv6Subnet),
 					role:     "primary",
 				}),
-				ginkgo.Entry("with primary layer2 UDN", networkAttachmentConfigParams{
-					name:     nadName,
-					topology: "layer2",
-					cidr:     correctCIDRFamily(userDefinedNetworkIPv4Subnet, userDefinedNetworkIPv6Subnet),
-					role:     "primary",
-				}),
+				// TODO: this test is broken, see https://github.com/ovn-kubernetes/ovn-kubernetes/issues/5309
+				//ginkgo.Entry("with primary layer2 UDN", networkAttachmentConfigParams{
+				//	name:     nadName,
+				//	topology: "layer2",
+				//	cidr:     correctCIDRFamily(userDefinedNetworkIPv4Subnet, userDefinedNetworkIPv6Subnet),
+				//	role:     "primary",
+				//}),
 			)
 		})
 	})

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func generateAdvertisedUDNIsolationExpectedNB(testData []libovsdbtest.TestData,`
`43`	`43`	`passMatches = append(passMatches, fmt.Sprintf("(%s.src == %s && %s.dst == %s)", ipPrefix, subnet, ipPrefix, subnet))`
`44`	`44`
`45`	`45`	`}`
`46`		`- passACL := libovsdbutil.BuildACL(`
	`46`	`+ passACL := libovsdbutil.BuildACLWithDefaultTier(`
`47`	`47`	`GetAdvertisedNetworkSubnetsPassACLdbIDs(DefaultNetworkControllerName, networkName, networkID),`
`48`	`48`	`types.AdvertisedNetworkPassPriority,`
`49`	`49`	`strings.Join(passMatches, " \|\| "),`