-
Bug
-
Resolution: Done-Errata
-
Undefined
-
4.14
-
No
-
Sprint 242, Sprint 243, Sprint 244
-
3
-
False
-
-
N/A
-
Release Note Not Required
-
Done
Description of problem:
When installing OpenShift on GCP in a Shared VPC (formerly XPN) configuration, the service account used must have permissions to create firewall rules on the host project's network in order to proceed. If the account does not have permissions, the installation will fail but the explicit reason is not listed.
Version-Release number of selected component (if applicable):
4.14-ec.1
How reproducible:
100% of the time when the service account creating the cluster does not have Owner permissions or `compute.firewall.create` on the host project.
Steps to Reproduce:
1. Follow instructions at https://docs.openshift.com/container-platform/4.13/installing/installing_gcp/installing-gcp-shared-vpc.html 2. As part of the prerequisites, make a service account with the permissions listed at https://docs.openshift.com/container-platform/4.13/installing/installing_gcp/installing-gcp-account.html#minimum-required-permissions-ipi-gcp-xpn 3. Create a cluster using an install-config.yaml similar to the one attached
Actual results:
The cluster fails to bootstrap. The bootstrap node will be present, as will the masters, but components will not be able to reach the api-int load balancer.
Expected results:
The log files would include an error message regarding the missing permissions, and possibly abort the installation early.
Additional info:
https://docs.openshift.com/container-platform/4.13/installing/installing_gcp/installing-gcp-account.html#minimum-required-permissions-ipi-gcp-xpn does not list the `compute.firewalls.create` permission, which is included in the code at https://github.com/openshift/installer/blob/4f59664588c4472b7aba2838159651e729908dff/pkg/asset/cluster/tfvars.go#L79. This is probably also a related docs improvement.
File attachment seems to have been disabled, so here is the text of the `install-config.yaml` that I was using:
additionalTrustBundlePolicy: Proxyonly apiVersion: v1 baseDomain: installer.gcp.devcluster.openshift.com compute: - architecture: amd64 hyperthreading: Enabled name: worker platform: {} replicas: 3 controlPlane: architecture: amd64 hyperthreading: Enabled name: master platform: {} replicas: 3 credentialsMode: Passthrough featureSet: TechPreviewNoUpgrade metadata: creationTimestamp: null name: nrbxpn networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 machineNetwork: - cidr: 10.0.0.0/16 networkType: OVNKubernetes serviceNetwork: - 172.30.0.0/16 platform: gcp: projectID: openshift-installer-shared-vpc region: us-central1 network: installer-shared-vpc computeSubnet: installer-shared-vpc-subnet-1 controlPlaneSubnet: installer-shared-vpc-subnet-2 networkProjectID: openshift-dev-installer publish: Internal pullSecret: <omitted> sshKey: <omitted>
- is related to
-
OCPBUGS-17815 GCP XPN - Clarify firewall reqs when acct does not have firewall permissions
- New
-
OCPBUGS-5755 GCP XPN private cluster install attempts to add masters to k8s-ig-xxxx instance groups
- Closed
- links to
-
RHEA-2023:7198 rpm