Heads up - we wanted to make people aware of a recent upstream CAPO change that could break your Magnum setup if using Cluster API and the Octavia OVN driver.

What we've seen is that a recent contribution to CAPO tightens the security group rules for NodePorts to the local tenant network.  This works fine for Octavia's Amphora driver, in which HAproxy becomes the source for all back-end API requests.  The Octavia OVN driver doesn't have that behaviour, which results in inbound requests getting filtered.

The CAPO release is v0.11.0 (https://github.com/kubernetes-sigs/cluster-api-provider-openstack/releases/tag/v0.11.0)

The issue is described here: https://github.com/kubernetes-sigs/cluster-api-provider-openstack/issues/2333

The Magnum drivers will pin CAPO driver versions so it's more of a developer / power-user concern than for conventional operators.

Cheers,

Stig