Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.15.0
Affects Version/s: 4.14.0
Component/s: Networking / cloud-network-config-controller
Labels:
None

Severity:
Critical
Regression:
No
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

CNCC failed to assign egressIP to NIC for Azure Workload Identity Cluster

Refer to https://issues.redhat.com/browse/CCO-294

Version-Release number of selected component (if applicable):

4.14.0-0.nightly-2023-08-11-055332

How reproducible:

Always

Steps to Reproduce:

1. Created a Azure Workload Identity Cluster by "workflow-launch cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-tp 4.14" from cluster-bot
2. Configure egressIP
3.

Actual results:

 % oc get egressip
NAME         EGRESSIPS      ASSIGNED NODE   ASSIGNED EGRESSIPS
egressip-3   10.0.128.100     

% oc get cloudprivateipconfig -o yaml
apiVersion: v1
items:
- apiVersion: cloud.network.openshift.io/v1
  kind: CloudPrivateIPConfig
  metadata:
    annotations:
      k8s.ovn.org/egressip-owner-ref: egressip-3
    creationTimestamp: "2023-08-14T04:41:05Z"
    finalizers:
    - cloudprivateipconfig.cloud.network.openshift.io/finalizer
    generation: 1
    name: 10.0.128.100
    resourceVersion: "65159"
    uid: 2b7b1137-0e2e-46e8-9bca-1176330322a9
  spec:
    node: ci-ln-b4tlp9t-1d09d-2chnb-worker-centralus1-jgqp2
  status:
    conditions:
    - lastTransitionTime: "2023-08-14T04:41:17Z"
      message: 'Error processing cloud assignment request, err: network.InterfacesClient#CreateOrUpdate:
        Failure sending request: StatusCode=0 -- Original Error: Code="LinkedAuthorizationFailed"
        Message="The client ''d367c1b8-9f5d-4257-b5c8-363f61af32c2'' with object id
        ''d367c1b8-9f5d-4257-b5c8-363f61af32c2'' has permission to perform action
        ''Microsoft.Network/networkInterfaces/write'' on scope ''/subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/resourceGroups/ci-ln-b4tlp9t-1d09d/providers/Microsoft.Network/networkInterfaces/ci-ln-b4tlp9t-1d09d-2chnb-worker-centralus1-jgqp2-nic'';
        however, it does not have permission to perform action ''Microsoft.Network/virtualNetworks/subnets/join/action''
        on the linked scope(s) ''/subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/resourceGroups/ci-ln-b4tlp9t-1d09d/providers/Microsoft.Network/virtualNetworks/ci-ln-b4tlp9t-1d09d-2chnb-vnet/subnets/ci-ln-b4tlp9t-1d09d-2chnb-worker-subnet''
        or the linked scope(s) are invalid."'
      observedGeneration: 1
      reason: CloudResponseError
      status: "False"
      type: Assigned
    node: ci-ln-b4tlp9t-1d09d-2chnb-worker-centralus1-jgqp2
kind: List
metadata:
  resourceVersion: ""

Expected results:

EgressIP can be assigned to egress node

Additional info:

Attachments

Issue Links

blocks

CCO-294 Update Azure Credentials Request manifest of the Cluster Network Operator to use new API field for requesting permissions

Closed

links to

openshift/cluster-network-operator#1949: OCPBUGS-17677: [Azure] Add granular permission for assigning egressIP to NIC to Azure CredentialsRequest for workload identity.

openshift/cluster-network-operator#1980: OCPBUGS-17677: [Azure]CNCC failed to assign egressIP to NIC for Azure Workload Identity Cluster

RHEA-2023:5006 rpm

Activity

People

Assignee:: Andrew Butcher

Reporter:: Huiran Wang

QA Contact:: Huiran Wang

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2023/08/14 4:51 AM

Updated:: 2023/10/31 1:38 PM

Resolved:: 2023/10/31 1:38 PM