Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.14.0
Affects Version/s: 4.14.0
Component/s: Networking / ovn-kubernetes
Labels:
None

Regression:
No
Sprint:
SDN Sprint 243, SDN Sprint 244
sprint_count:
2
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

The newly added webhook does not allow setting k8s.ovn.org/node-mgmt-port and k8s.ovn.org/gateway-mtu-support which should be allowed

Steps to Reproduce:

In one of the ovnkube-node pods (ovnkube-controller container) run the following:
1. Create a kubeconfig which impersonates ovnkube-node:
  export KUBECONFIG=/tmp/kubeconfig
  kubectl config set-cluster default-cluster --server=https://${KUBERNETES_SERVICE_HOST}:6443 --certificate-authority /var/run/secrets/kubernetes.io/serviceaccount/ca.crt --embed-certs
  kubectl config set-credentials default --client-key /etc/ovn/ovnkube-node-certs/ovnkube-client-current.pem --client-certificate /etc/ovn/ovnkube-node-certs/ovnkube-client-current.pem --embed-certs
  kubectl config set-context default-system --cluster default-cluster --user default
  kubectl config use-context default-system

2. Try to set k8s.ovn.org/node-mgmt-port and k8s.ovn.org/gateway-mtu-support:
  oc get node $(hostname) -o yaml > /tmp/current_node.yaml
  kubectl patch -f /tmp/current_node.yaml --type='json' --subresource=status -p='[{"op": "add", "path": "/metadata/annotations/k8s.ovn.org~1node-mgmt-port", "value":"{\"PfId\":1,\"FuncId\":1}"}]'
  kubectl patch -f /tmp/current_node.yaml --type='json' --subresource=status -p='[{"op": "add", "path": "/metadata/annotations/k8s.ovn.org~1gateway-mtu-support", "value":"true"}]'

Actual results:

Error from server (Forbidden): admission webhook "node.network-node-identity.openshift.io" denied the request: ovnkube-node on node: "pdiak-10-19-2023-kxnc6-master-1.c.openshift-gce-devel.internal" is not allowed to set the following annotations: [k8s.ovn.org/node-mgmt-port]
Error from server (Forbidden): admission webhook "node.network-node-identity.openshift.io" denied the request: ovnkube-node on node: "pdiak-10-19-2023-kxnc6-master-1.c.openshift-gce-devel.internal" is not allowed to set the following annotations: [k8s.ovn.org/gateway-mtu-support]

Expected results:

Setting k8s.ovn.org/node-mgmt-port and k8s.ovn.org/gateway-mtu-support annotations should succeed

Additional info:

Missing annotations are only used in DPU deployments so it should be easier to verify it with the steps provided above.

clones

OCPBUGS-19792 OVN-Kubernetes node webhook does not allow to set k8s.ovn.org/node-mgmt-port and k8s.ovn.org/gateway-mtu-support

Closed

depends on

OCPBUGS-19792 OVN-Kubernetes node webhook does not allow to set k8s.ovn.org/node-mgmt-port and k8s.ovn.org/gateway-mtu-support

Closed

links to

openshift/ovn-kubernetes#1915: OCPBUGS-19886,OCPBUGS-19889,OCPBUGS-19887,OCPBUGS-19888: EIP fixes, remove ippool dupe call, allow gw mtu in webhook and ovnkube node can set mgt port for dpu

RHSA-2023:5006 OpenShift Container Platform 4.14.z security update

Assignee:: Patryk Diak

Reporter:: Patryk Diak

QA Contact:: Ying Wang

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2023/09/28 10:23 AM

Updated:: 2023/10/31 1:43 PM

Resolved:: 2023/10/31 1:43 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates