TEST !!! Implement cluster-wide DPU host mode feature disabling

README.md

@@ -157,18 +157,6 @@ OVNKubernetes supports the following configuration options, all of which are opt
 * `egressIPConfig`: holds the configuration for EgressIP options.
   * `reachabilityTotalTimeoutSeconds`: Set EgressIP node reachability total timeout in seconds, 0 means disable reachability check and the default is 1 second.
 
-#### DPU Host Mode Support
-
-OVN-Kubernetes supports specialized hardware deployments such as DPU (Data Processing Unit) hosts through the `OVN_NODE_MODE` environment variable. In `dpu-host` mode, certain features are automatically disabled on those nodes regardless of cluster-wide configuration:
-
-- Egress IP and related features (egress firewall, egress QoS, egress service)
-- Multicast support
-- Multi-external gateway support
-- Multi-network policies and admin network policies
-- Network segmentation features
-
-This per-node feature enforcement is implemented through conditional logic in the startup scripts, allowing the same cluster configuration to work across heterogeneous node types. For detailed information about node modes and the technical implementation, see `docs/ovn_node_mode.md`.
-
 These configuration flags are only in the Operator configuration object.
 
 Example from the `manifests/cluster-network-03-config.yml` file:

bindata/network/ovn-kubernetes/common/008-script-lib.yaml

@@ -515,15 +515,9 @@ data:
 
       echo "I$(date "+%m%d %H:%M:%S.%N") - starting ovnkube-node"
 
-      # enable egress ip, egress firewall, egress qos, egress service
-      egress_features_enable_flag="--enable-egress-ip=true --enable-egress-firewall=true --enable-egress-qos=true --enable-egress-service=true"
       init_ovnkube_controller="--init-ovnkube-controller ${K8S_NODE}"
-      multi_external_gateway_enable_flag="--enable-multi-external-gateway=true"
       gateway_interface=br-ex
 
-      # enable multicast
-      enable_multicast_flag="--enable-multicast"
-
       # Use OVN_NODE_MODE environment variable, default to "full" if not set
       OVN_NODE_MODE=${OVN_NODE_MODE:-full}
       # We check only dpu-host mode and not smart-nic mode here as currently we do not support it yet
@@ -533,17 +527,9 @@ data:
         # https://github.com/ovn-kubernetes/ovn-kubernetes/pull/5327/files
         gateway_interface="derive-from-mgmt-port"
         ovnkube_node_mode="--ovnkube-node-mode dpu-host"
-        # disable egress ip for dpu-host mode as it is not supported
-        egress_features_enable_flag=""
-
-        # disable multicast for dpu-host mode as it is not supported
-        enable_multicast_flag=""
 
         # disable init-ovnkube-controller for dpu-host mode as it is not supported
         init_ovnkube_controller=""
-
-        # disable multi-external-gateway for dpu-host mode as it is not supported
-        multi_external_gateway_enable_flag=""
       fi
 
       if [ "{{.OVN_GATEWAY_MODE}}" == "shared" ]; then
@@ -589,12 +575,12 @@ data:
       fi
 
       multi_network_enabled_flag=
-      if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" == "true" && "${OVN_NODE_MODE}" != "dpu-host" ]]; then
+      if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" == "true" ]]; then
         multi_network_enabled_flag="--enable-multi-network"
       fi
 
       network_segmentation_enabled_flag=
-      if [[ "{{.OVN_NETWORK_SEGMENTATION_ENABLE}}" == "true" && "${OVN_NODE_MODE}" != "dpu-host" ]]; then
+      if [[ "{{.OVN_NETWORK_SEGMENTATION_ENABLE}}" == "true" ]]; then
         multi_network_enabled_flag="--enable-multi-network"
         network_segmentation_enabled_flag="--enable-network-segmentation"
       fi
@@ -615,12 +601,12 @@ data:
       fi
 
       multi_network_policy_enabled_flag=
-      if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true"&& "${OVN_NODE_MODE}" != "dpu-host" ]]; then
+      if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
         multi_network_policy_enabled_flag="--enable-multi-networkpolicy"
       fi
 
       admin_network_policy_enabled_flag=
-      if [[ "{{.OVN_ADMIN_NETWORK_POLICY_ENABLE}}" == "true" && "${OVN_NODE_MODE}" != "dpu-host" ]]; then
+      if [[ "{{.OVN_ADMIN_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
         admin_network_policy_enabled_flag="--enable-admin-network-policy"
       fi
 
@@ -629,6 +615,11 @@ data:
         dns_name_resolver_enabled_flag="--enable-dns-name-resolver"
       fi
 
+      enable_multicast_flag=""
+      if [[ "{{.OVN_MULTICAST_ENABLE}}" == "true" ]]; then
+        enable_multicast_flag="--enable-multicast"
+      fi
+
       # If IP Forwarding mode is global set it in the host here. IPv6 IP Forwarding shuld be
       # enabled for all interfaces at all times if cluster is configured as single stack IPv6
       # or dual stack. This will be taken care by ovn-kubernetes(ovn-org/ovn-kubernetes#4376).
@@ -693,7 +684,9 @@ data:
         --inactivity-probe="${OVN_CONTROLLER_INACTIVITY_PROBE}" \
         ${gateway_mode_flags} \
         ${node_mgmt_port_netdev_flags} \
-        ${ovnkube_node_mode} \
+{{- if eq .OVN_NODE_MODE "dpu-host" }}
+        --ovnkube-node-mode dpu-host \
+{{- end }}
         --metrics-bind-address "127.0.0.1:${metrics_port}" \
         --ovn-metrics-bind-address "127.0.0.1:${ovn_metrics_port}" \
         --metrics-enable-pprof \
@@ -722,7 +715,5 @@ data:
         ${ovn_v4_masquerade_subnet_opt} \
         ${ovn_v6_masquerade_subnet_opt} \
         ${ovn_v4_transit_switch_subnet_opt} \
-        ${ovn_v6_transit_switch_subnet_opt} \
-        ${egress_features_enable_flag} \
-        ${multi_external_gateway_enable_flag}
+        ${ovn_v6_transit_switch_subnet_opt}
     }

bindata/network/ovn-kubernetes/managed/004-config.yaml

@@ -33,9 +33,19 @@ data:
     dns-service-name="dns-default"
 
     [ovnkubernetesfeature]
+{{- if not .DPU_HOST_MODE_ENABLED }}
+    enable-egress-ip=false
+    enable-egress-firewall=false
+    enable-egress-qos=false
+    enable-egress-service=false
+    enable-multi-external-gateway=false
+{{- end }}
 {{- if .ReachabilityNodePort }}
     egressip-node-healthcheck-port={{.ReachabilityNodePort}}
 {{- end }}
+{{- if .OVN_MULTI_NETWORK_ENABLE }}
+    enable-multi-network=true
+{{- end }}
 {{- if .OVN_NETWORK_SEGMENTATION_ENABLE }}
     {{- if not .OVN_MULTI_NETWORK_ENABLE }}
     enable-multi-network=true
@@ -45,6 +55,12 @@ data:
 {{- if .OVN_PRE_CONF_UDN_ADDR_ENABLE }}
     enable-preconfigured-udn-addresses=true
 {{- end }}
+{{- if .OVN_MULTI_NETWORK_POLICY_ENABLE }}
+    enable-multi-networkpolicy=true
+{{- end }}
+{{- if .OVN_ADMIN_NETWORK_POLICY_ENABLE }}
+    enable-admin-network-policy=true
+{{- end }}
 {{- if .DNS_NAME_RESOLVER_ENABLE }}
     enable-dns-name-resolver=true
 {{- end }}
@@ -114,10 +130,13 @@ data:
     dns-service-name="dns-default"
 
     [ovnkubernetesfeature]
+{{- if not .DPU_HOST_MODE_ENABLED }}
     enable-egress-ip=true
     enable-egress-firewall=true
     enable-egress-qos=true
     enable-egress-service=true
+    enable-multi-external-gateway=true
+{{- end }}
 {{- if .ReachabilityNodePort }}
     egressip-node-healthcheck-port={{.ReachabilityNodePort}}
 {{- end }}
@@ -129,9 +148,21 @@ data:
     enable-multi-network=true
     {{- end }}
     enable-network-segmentation=true
+{{- end }}
 {{- if .OVN_PRE_CONF_UDN_ADDR_ENABLE }}
     enable-preconfigured-udn-addresses=true
 {{- end }}
+{{- if .OVN_MULTI_NETWORK_POLICY_ENABLE }}
+    enable-multi-networkpolicy=true
+{{- end }}
+{{- if .OVN_ADMIN_NETWORK_POLICY_ENABLE }}
+    enable-admin-network-policy=true
+{{- end }}
+{{- if .OVN_MULTI_NETWORK_POLICY_ENABLE }}
+    enable-multi-networkpolicy=true
+{{- end }}
+{{- if .OVN_ADMIN_NETWORK_POLICY_ENABLE }}
+    enable-admin-network-policy=true
 {{- end }}
 {{- if .DNS_NAME_RESOLVER_ENABLE }}
     enable-dns-name-resolver=true
@@ -141,7 +172,6 @@ data:
     mode={{.OVN_GATEWAY_MODE}}
     nodeport=true
 
-
     [logging]
     libovsdblogfile=/var/log/ovnkube/libovsdb.log
     logfile-maxsize=100

bindata/network/ovn-kubernetes/managed/ovnkube-control-plane.yaml

@@ -184,13 +184,8 @@ spec:
           # will rollout control plane pods as well
           network_segmentation_enabled_flag=
           multi_network_enabled_flag=
-          if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" == "true" ]]; then
-            multi_network_enabled_flag="--enable-multi-network"
-          fi
           if [[ "{{.OVN_NETWORK_SEGMENTATION_ENABLE}}" == "true" ]]; then
-            if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" != "true" ]]; then
-              multi_network_enabled_flag="--enable-multi-network"
-            fi
+            multi_network_enabled_flag="--enable-multi-network"
             network_segmentation_enabled_flag="--enable-network-segmentation"
           fi
 
@@ -204,18 +199,6 @@ spec:
             preconfigured_udn_addresses_enable_flag="--enable-preconfigured-udn-addresses"
           fi
 
-          # Enable multi-network policy if configured (control-plane always full mode)
-          multi_network_policy_enabled_flag=
-          if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
-            multi_network_policy_enabled_flag="--enable-multi-networkpolicy"
-          fi
-
-          # Enable admin network policy if configured (control-plane always full mode)
-          admin_network_policy_enabled_flag=
-          if [[ "{{.OVN_ADMIN_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
-            admin_network_policy_enabled_flag="--enable-admin-network-policy"
-          fi
-
           echo "I$(date "+%m%d %H:%M:%S.%N") - ovnkube-control-plane - start ovnkube --init-cluster-manager ${K8S_NODE}"
           exec /usr/bin/ovnkube \
             --enable-interconnect \
@@ -237,15 +220,7 @@ spec:
             ${multi_network_enabled_flag} \
             ${network_segmentation_enabled_flag} \
             ${route_advertisements_enable_flag} \
-            ${preconfigured_udn_addresses_enable_flag} \
-            --enable-egress-ip=true \
-            --enable-egress-firewall=true \
-            --enable-egress-qos=true \
-            --enable-egress-service=true \
-            --enable-multicast \
-            --enable-multi-external-gateway=true \
-            ${multi_network_policy_enabled_flag} \
-            ${admin_network_policy_enabled_flag}
+            ${preconfigured_udn_addresses_enable_flag}
         volumeMounts:
         - mountPath: /run/ovnkube-config/
           name: ovnkube-config

bindata/network/ovn-kubernetes/self-hosted/004-config.yaml

@@ -28,21 +28,30 @@ data:
     no-hostsubnet-nodes="kubernetes.io/os=windows"
 {{- end  }}
 {{- if .IsNetworkTypeLiveMigration }}
-    no-hostsubnet-nodes="migration.network.openshift.io/plugin="
+    no-hostsubnet-nodes="migration.network.openshift.io/plugin=ovn-kubernetes"
 {{- end }}
     platform-type="{{.PlatformType}}"
     healthz-bind-address="0.0.0.0:10256"
     dns-service-namespace="openshift-dns"
     dns-service-name="dns-default"
 
     [ovnkubernetesfeature]
-
-    {{- if .ReachabilityTotalTimeoutSeconds }}
+{{- if not .DPU_HOST_MODE_ENABLED }}
+    enable-egress-ip=false
+    enable-egress-firewall=false
+    enable-egress-qos=false
+    enable-egress-service=false
+    enable-multi-external-gateway=false
+{{- end }}
+{{- if .ReachabilityTotalTimeoutSeconds }}
     egressip-reachability-total-timeout={{.ReachabilityTotalTimeoutSeconds}}
-    {{- end }}
+{{- end }}
 {{- if .ReachabilityNodePort }}
     egressip-node-healthcheck-port={{.ReachabilityNodePort}}
 {{- end }}
+{{- if .OVN_MULTI_NETWORK_ENABLE }}
+    enable-multi-network=true
+{{- end }}
 {{- if .OVN_NETWORK_SEGMENTATION_ENABLE }}
     {{- if not .OVN_MULTI_NETWORK_ENABLE }}
     enable-multi-network=true
@@ -55,6 +64,9 @@ data:
 {{- if .OVN_MULTI_NETWORK_POLICY_ENABLE }}
     enable-multi-networkpolicy=true
 {{- end }}
+{{- if .OVN_ADMIN_NETWORK_POLICY_ENABLE }}
+    enable-admin-network-policy=true
+{{- end }}
 {{- if .DNS_NAME_RESOLVER_ENABLE }}
     enable-dns-name-resolver=true
 {{- end }}

bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml

@@ -135,13 +135,8 @@ spec:
           # will rollout control plane pods as well
           network_segmentation_enabled_flag=
           multi_network_enabled_flag=
-          if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" == "true" ]]; then
-            multi_network_enabled_flag="--enable-multi-network"
-          fi
           if [[ "{{.OVN_NETWORK_SEGMENTATION_ENABLE}}" == "true" ]]; then
-            if [[ "{{.OVN_MULTI_NETWORK_ENABLE}}" != "true" ]]; then
-              multi_network_enabled_flag="--enable-multi-network"
-            fi
+            multi_network_enabled_flag="--enable-multi-network"
             network_segmentation_enabled_flag="--enable-network-segmentation"
           fi
 
@@ -154,18 +149,6 @@ spec:
           if [[ "{{.OVN_PRE_CONF_UDN_ADDR_ENABLE}}" == "true" ]]; then
             preconfigured_udn_addresses_enable_flag="--enable-preconfigured-udn-addresses"
           fi
-
-          # Enable multi-network policy if configured (control-plane always full mode)
-          multi_network_policy_enabled_flag=
-          if [[ "{{.OVN_MULTI_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
-            multi_network_policy_enabled_flag="--enable-multi-networkpolicy"
-          fi
-
-          # Enable admin network policy if configured (control-plane always full mode)
-          admin_network_policy_enabled_flag=
-          if [[ "{{.OVN_ADMIN_NETWORK_POLICY_ENABLE}}" == "true" ]]; then
-            admin_network_policy_enabled_flag="--enable-admin-network-policy"
-          fi
 
           if [ "{{.OVN_GATEWAY_MODE}}" == "shared" ]; then
             gateway_mode_flags="--gateway-mode shared"
@@ -195,15 +178,7 @@ spec:
             ${network_segmentation_enabled_flag} \
             ${gateway_mode_flags} \
             ${route_advertisements_enable_flag} \
-            ${preconfigured_udn_addresses_enable_flag} \
-            --enable-egress-ip=true \
-            --enable-egress-firewall=true \
-            --enable-egress-qos=true \
-            --enable-egress-service=true \
-            --enable-multicast \
-            --enable-multi-external-gateway=true \
-            ${multi_network_policy_enabled_flag} \
-            ${admin_network_policy_enabled_flag}
+            ${preconfigured_udn_addresses_enable_flag}
         volumeMounts:
         - mountPath: /run/ovnkube-config/
           name: ovnkube-config

docs/architecture.md

@@ -141,12 +141,6 @@ The Network operator needs to make sure that the input configuration doesn't cha
 
 The persisted configuration must **make all defaults explicit**. This protects against inadvertent code changes that could destabilize an existing cluster.
 
-### Per-Node Configuration
-
-For certain specialized deployments (e.g., DPU host nodes), some features need to be disabled on a per-node basis even when enabled cluster-wide. Since ConfigMap values cannot be reliably overridden per-node, the CNO implements per-node feature enforcement through conditional logic in the startup scripts.
-
-The `OVN_NODE_MODE` environment variable is injected into `ovnkube-node` pods and consumed by the startup script (`008-script-lib.yaml`) to conditionally enable or disable features based on the node's operational mode. This ensures that unsupported features are deterministically disabled on specialized hardware regardless of cluster-wide configuration.
-
 ## Egress Router
 
 **Input:** `EgressRouter.network.operator.openshift.io`