Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-17677

[Azure]CNCC failed to assign egressIP to NIC for Azure Workload Identity Cluster

XMLWordPrintable

    • Critical
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      CNCC failed to assign egressIP to NIC for Azure Workload Identity Cluster

Refer to https://issues.redhat.com/browse/CCO-294

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-08-11-055332

      How reproducible:

      Always

      Steps to Reproduce:

      1. Created a Azure Workload Identity Cluster by "workflow-launch cucushift-installer-rehearse-azure-ipi-cco-manual-workload-identity-tp 4.14" from cluster-bot
2. Configure egressIP
3.

      Actual results:

       % oc get egressip
NAME         EGRESSIPS      ASSIGNED NODE   ASSIGNED EGRESSIPS
egressip-3   10.0.128.100     

% oc get cloudprivateipconfig -o yaml
apiVersion: v1
items:
- apiVersion: cloud.network.openshift.io/v1
  kind: CloudPrivateIPConfig
  metadata:
    annotations:
      k8s.ovn.org/egressip-owner-ref: egressip-3
    creationTimestamp: "2023-08-14T04:41:05Z"
    finalizers:
    - cloudprivateipconfig.cloud.network.openshift.io/finalizer
    generation: 1
    name: 10.0.128.100
    resourceVersion: "65159"
    uid: 2b7b1137-0e2e-46e8-9bca-1176330322a9
  spec:
    node: ci-ln-b4tlp9t-1d09d-2chnb-worker-centralus1-jgqp2
  status:
    conditions:
    - lastTransitionTime: "2023-08-14T04:41:17Z"
      message: 'Error processing cloud assignment request, err: network.InterfacesClient#CreateOrUpdate:
        Failure sending request: StatusCode=0 -- Original Error: Code="LinkedAuthorizationFailed"
        Message="The client ''d367c1b8-9f5d-4257-b5c8-363f61af32c2'' with object id
        ''d367c1b8-9f5d-4257-b5c8-363f61af32c2'' has permission to perform action
        ''Microsoft.Network/networkInterfaces/write'' on scope ''/subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/resourceGroups/ci-ln-b4tlp9t-1d09d/providers/Microsoft.Network/networkInterfaces/ci-ln-b4tlp9t-1d09d-2chnb-worker-centralus1-jgqp2-nic'';
        however, it does not have permission to perform action ''Microsoft.Network/virtualNetworks/subnets/join/action''
        on the linked scope(s) ''/subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/resourceGroups/ci-ln-b4tlp9t-1d09d/providers/Microsoft.Network/virtualNetworks/ci-ln-b4tlp9t-1d09d-2chnb-vnet/subnets/ci-ln-b4tlp9t-1d09d-2chnb-worker-subnet''
        or the linked scope(s) are invalid."'
      observedGeneration: 1
      reason: CloudResponseError
      status: "False"
      type: Assigned
    node: ci-ln-b4tlp9t-1d09d-2chnb-worker-centralus1-jgqp2
kind: List
metadata:
  resourceVersion: ""

      Expected results:

      EgressIP can be assigned to egress node

      Additional info:

              abutcher@redhat.com Andrew Butcher
              huirwang Huiran Wang
              Huiran Wang Huiran Wang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: