Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-22949

[Azure] EgressIP cannot be applied to the egress node on Azure private cluster

XMLWordPrintable

    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      This patch enables egress IP for Azure setups that use outbound rules to achieve outbound connectivity. An architectural constraint in Azure prevents the secondary IP acting as egress IP from having outbound connectivity in such setups. This means that matching pods will have no outbound connectivity to the internet, but will be able to reach external servers in the infrastructure network, which is the intended use case for egress IP.
      Show
      This patch enables egress IP for Azure setups that use outbound rules to achieve outbound connectivity. An architectural constraint in Azure prevents the secondary IP acting as egress IP from having outbound connectivity in such setups. This means that matching pods will have no outbound connectivity to the internet, but will be able to reach external servers in the infrastructure network, which is the intended use case for egress IP.
    • Bug Fix

      This is a clone of issue OCPBUGS-22299. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-5491. The following is the description of the original issue:

      Description of problem:

      The issue was found in ci, and it is an Azure private cluster, all the egressIP cases failed due to  EgressIP cannot be applied to the egress node. It was able to be reproduced manually. 
      
      

      Version-Release number of selected component (if applicable):

      4.12.0-0.nightly-2023-01-08-142418
      
      

      How reproducible:

      Always
      
      

      Steps to Reproduce:

      1. Label one worker node as egress node
      2. Create one egressIP object
      3.
      

      Actual results:

      % oc get egressip
      NAME             EGRESSIPS    ASSIGNED NODE   ASSIGNED EGRESSIPS
      egressip-2       10.0.1.10                    
      egressip-47164   10.0.1.217 
      
      % oc get cloudprivateipconfig 
      NAME         AGE
      10.0.1.10    18m
      10.0.1.217   22m
      % oc get cloudprivateipconfig  -o yaml
      apiVersion: v1
      items:
      - apiVersion: cloud.network.openshift.io/v1
        kind: CloudPrivateIPConfig
        metadata:
          annotations:
            k8s.ovn.org/egressip-owner-ref: egressip-2
          creationTimestamp: "2023-01-09T10:11:33Z"
          finalizers:
          - cloudprivateipconfig.cloud.network.openshift.io/finalizer
          generation: 1
          name: 10.0.1.10
          resourceVersion: "59723"
          uid: d697568a-7d7c-471a-b5e1-d7b814244549
        spec:
          node: huirwang-0109b-bv4ld-worker-eastus1-llmpb
        status:
          conditions:
          - lastTransitionTime: "2023-01-09T10:17:06Z"
            message: 'Error processing cloud assignment request, err: network.InterfacesClient#CreateOrUpdate:
              Failure sending request: StatusCode=0 -- Original Error: Code="OutboundRuleCannotBeUsedWithBackendAddressPoolThatIsReferencedBySecondaryIpConfigs"
              Message="OutboundRule /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/loadBalancers/huirwang-0109b-bv4ld/outboundRules/outbound-rule-v4
              cannot be used with Backend Address Pool /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/loadBalancers/huirwang-0109b-bv4ld/backendAddressPools/huirwang-0109b-bv4ld
              that contains Secondary IPConfig /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/networkInterfaces/huirwang-0109b-bv4ld-worker-eastus1-llmpb-nic/ipConfigurations/huirwang-0109b-bv4ld-worker-eastus1-llmpb_10.0.1.10"
              Details=[]'
            observedGeneration: 1
            reason: CloudResponseError
            status: "False"
            type: Assigned
          node: huirwang-0109b-bv4ld-worker-eastus1-llmpb
      - apiVersion: cloud.network.openshift.io/v1
        kind: CloudPrivateIPConfig
        metadata:
          annotations:
            k8s.ovn.org/egressip-owner-ref: egressip-47164
          creationTimestamp: "2023-01-09T10:07:56Z"
          finalizers:
          - cloudprivateipconfig.cloud.network.openshift.io/finalizer
          generation: 1
          name: 10.0.1.217
          resourceVersion: "58333"
          uid: 6a7d6196-cfc9-4859-9150-7371f5818b74
        spec:
          node: huirwang-0109b-bv4ld-worker-eastus1-llmpb
        status:
          conditions:
          - lastTransitionTime: "2023-01-09T10:13:29Z"
            message: 'Error processing cloud assignment request, err: network.InterfacesClient#CreateOrUpdate:
              Failure sending request: StatusCode=0 -- Original Error: Code="OutboundRuleCannotBeUsedWithBackendAddressPoolThatIsReferencedBySecondaryIpConfigs"
              Message="OutboundRule /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/loadBalancers/huirwang-0109b-bv4ld/outboundRules/outbound-rule-v4
              cannot be used with Backend Address Pool /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/loadBalancers/huirwang-0109b-bv4ld/backendAddressPools/huirwang-0109b-bv4ld
              that contains Secondary IPConfig /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/networkInterfaces/huirwang-0109b-bv4ld-worker-eastus1-llmpb-nic/ipConfigurations/huirwang-0109b-bv4ld-worker-eastus1-llmpb_10.0.1.217"
              Details=[]'
            observedGeneration: 1
            reason: CloudResponseError
            status: "False"
            type: Assigned
          node: huirwang-0109b-bv4ld-worker-eastus1-llmpb
      kind: List
      metadata:
        resourceVersion: ""
      

      Expected results:

      EgressIP can be applied correctly
      
      

      Additional info:

      
      

              rravaiol@redhat.com Riccardo Ravaioli
              openshift-crt-jira-prow OpenShift Prow Bot
              Jean Chen Jean Chen
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: