-
Bug
-
Resolution: Done-Errata
-
Minor
-
4.14
-
Moderate
-
No
-
False
-
Description of problem:
According to https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html, the default Security groups number per network interface is 5 and could be 16 at most, so we better to have some pre-check on the number of provided custom security groups.
When it's more than 15(since the maximum is 16, but installer will also create one ${var.cluster_id}-master-sg/${var.cluster_id}-worker-sg), installer should quit and warn user about this.
Version-Release number of selected component (if applicable):
registry.ci.openshift.org/ocp/release:4.14.0-0.nightly-2023-07-11-092038
How reproducible:
Always
Steps to Reproduce:
1. Set 16 Security groups IDs in compute.platform.aws.additionalSecurityGroupIDs
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
platform:
aws:
additionalSecurityGroupIDs:
- sg-06e63a6ad731c10cc
- sg-054614d4f4eb5751d
- sg-05c4fe202c8e2c28c
- sg-0c948fa8b85bf4af1
- sg-0cfb0c91c0b48f0de
- sg-0eff6077ca727c921
- sg-0d2d1f41f1ac9801c
- sg-047c67d5decb64563
- sg-0ee63f164c0ab8b04
- sg-033ff80fa12e43c7f
- sg-0ccad43754d9652cd
- sg-04e4cbca2b5d50c3a
- sg-0d133411fdcb0a4e0
- sg-0b2b0e0d515b2f561
- sg-045fde620b3e702da
- sg-07e0493a65749973c
replicas: 3
2. The installation failed due to workers couldn't be provisioned.
Actual results:
[root@preserve-gpei-worker k_files]# oc get machines -A
NAMESPACE NAME PHASE TYPE REGION ZONE AGE
openshift-machine-api gpei-0613g-wp7zw-master-0 Running m6i.xlarge us-west-2 us-west-2a 66m
openshift-machine-api gpei-0613g-wp7zw-master-1 Running m6i.xlarge us-west-2 us-west-2b 66m
openshift-machine-api gpei-0613g-wp7zw-master-2 Running m6i.xlarge us-west-2 us-west-2a 66m
openshift-machine-api gpei-0613g-wp7zw-worker-us-west-2a-7rszc Failed 62m
openshift-machine-api gpei-0613g-wp7zw-worker-us-west-2a-pwnvp Failed 62m
openshift-machine-api gpei-0613g-wp7zw-worker-us-west-2b-n2cs9 Failed 62m
[root@preserve-gpei-worker k_files]# oc describe machine gpei-0613g-wp7zw-worker-us-west-2b-n2cs9 -n openshift-machine-api
Name: gpei-0613g-wp7zw-worker-us-west-2b-n2cs9
..
Spec:
Lifecycle Hooks:
Metadata:
Provider Spec:
Value:
Ami:
Id: ami-01bfc200595c748a1
API Version: machine.openshift.io/v1beta1
Block Devices:
Ebs:
Metadata Service Options:
Placement:
Availability Zone: us-west-2b
Region: us-west-2
Security Groups:
Filters:
Name: tag:Name
Values:
gpei-0613g-wp7zw-worker-sg
Id: sg-033ff80fa12e43c7f
Id: sg-045fde620b3e702da
Id: sg-047c67d5decb64563
Id: sg-04e4cbca2b5d50c3a
Id: sg-054614d4f4eb5751d
Id: sg-05c4fe202c8e2c28c
Id: sg-06e63a6ad731c10cc
Id: sg-07e0493a65749973c
Id: sg-0b2b0e0d515b2f561
Id: sg-0c948fa8b85bf4af1
Id: sg-0ccad43754d9652cd
Id: sg-0cfb0c91c0b48f0de
Id: sg-0d133411fdcb0a4e0
Id: sg-0d2d1f41f1ac9801c
Id: sg-0ee63f164c0ab8b04
Id: sg-0eff6077ca727c921
Subnet:
Id: subnet-0641814f00311bd9c
Tags:
Name: kubernetes.io/cluster/gpei-0613g-wp7zw
Value: owned
User Data Secret:
Name: worker-user-data
Status:
Conditions:
Last Transition Time: 2023-07-13T09:58:02Z
Status: True
Type: Drainable
Last Transition Time: 2023-07-13T09:58:02Z
Message: Instance has not been created
Reason: InstanceNotCreated
Severity: Warning
Status: False
Type: InstanceExists
Last Transition Time: 2023-07-13T09:58:02Z
Status: True
Type: Terminable
Error Message: error launching instance: You have exceeded the maximum number of security groups allowed per network interface.
Expected results:
Installer could abort and prompt the provided custom security group number exceeded the maximum number allowed.
Additional info:
