> Questions:
> - what is the role of the "Network port security" option for an OVN network?

It means that newly created ports under that network will inherit the
port security value from the network - e.g. if the network's port
security attribute is active, so will the newly created port's port
security.

Port security on a port means 2 things:
  #1 - security group rules *will* apply to the VM having that port attached
  #2 - only the specified mac address will be allowed to send/receive
through that port. MAC spoofing protection is applied.

> - what is the meaning of "Undefined" option for it other than "Enabled" and "Disabled"?

It means that the network will inherit the value from the provider's
configuration - you can check what it translates to in
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf

> - it seems I cannot edit the value for "Network port security" option of an existing OVN network, is it correct?

You cannot do it *through the UI*. You can use ansible / REST api to
update the network - or ports - port_security_enabled value.

I am working on creating a couple of playbooks for this; hopefully I
can provide those early next week. It would be helpful to agilize this
process.

There is a notion of 'default' group, that ensures connectivity to all
VMs whose ports belong to that group - and all ports with active port
security, by default do.

I'm not sure how you reached that situation, but let's first make sure
of a couple of things; please provider the output of:
  - ovn-nbctl list logical_switch_port # this will feature info of the
port security value, and of which groups the port belongs to - the
latter in the 'external_ids' column.
  - ovn-nbctl list port_group # this is where the security groups are
stored; it has associations to the ACLs belonging to the group, and of
the ports that are using it
  - ovn-nbctl list address_set # this is where the IPs per group are
stored. security groups are an L3 concept.

A pastebin with the aforementioned info is welcome.