Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-26977

Required RBAC for network-node-identity is not created when hosted cluster networkType is set to Other.

XMLWordPrintable

    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, Multus CNI required CSRs to be approved when you used the `Other` network type in hosted clusters. The proper RBAC rules were set only when the the network type was `Other` and was set to Calico. As a consequence, the CSRs were not approved when the network type was `Other` and set to Cilium. With this update, the correct RBAC rules are set for all valid network types, and RBACs are now properly configured when you use the `Other` network type. (link:https://issues.redhat.com/browse/OCPBUGS-26977[*OCPBUGS-26977*])
      Show
      * Previously, Multus CNI required CSRs to be approved when you used the `Other` network type in hosted clusters. The proper RBAC rules were set only when the the network type was `Other` and was set to Calico. As a consequence, the CSRs were not approved when the network type was `Other` and set to Cilium. With this update, the correct RBAC rules are set for all valid network types, and RBACs are now properly configured when you use the `Other` network type. (link: https://issues.redhat.com/browse/OCPBUGS-26977 [* OCPBUGS-26977 *])
    • Bug Fix
    • Done

      Description of problem:

      When using a custom CNI plugin in a hostedcluster, multus requires some CSRs to be approved. The component approving these CSRs is the network-node-identity. This component only gets the proper RBAC rules configured when networkType is set to Calico.
      
      In the current implementation, there is an condition that will apply the required RBAC if the networkType is set to Calico[1].
      
      When using other CNI plugins, like Cilium, you're supposed to set networkType to Other. With current implementation, you won't get the required RBAC in place and as such, the required CSRs won't be approved automatically.
      
      
      [1] https://github.com/openshift/hypershift/blob/release-4.14/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go#L139   

      Version-Release number of selected component (if applicable):

      Latest    

      How reproducible:

      Always

      Steps to Reproduce:

          1. Set hostedcluster.spec.networking.networkType to Other
          2. Wait for the HC to start deploying and for the Nodes to join the cluster
          3. The nodes will remain in NotReady. Multus pods will complaing about certificates not being ready.
          4. If you list CSRs you will find pending CSRs.
          

      Actual results:

      RBAC not properly configured when networkType set to Other

      Expected results:

      RBAC properly configured when networkType set to Other

      Additional info:

      Slack discussion:
      
      https://redhat-internal.slack.com/archives/C01C8502FMM/p1704824277049609

            mavazque@redhat.com Mario Vazquez Cebrian
            mavazque@redhat.com Mario Vazquez Cebrian
            He Liu He Liu
            Laura Hinson Laura Hinson
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: