Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 4.16.0
Affects Version/s: 4.14.z, 4.15.z, 4.16.0
Component/s: HyperShift
Labels:
- release-blocker
- triaged

Regression:
No
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Cause - Multus requires CSRs to be approved when using a networkType of `Other` in Hosted Clusters. The proper RBAC rules to allow this are only set when the the networkType was `Other` and set to Calico.
Consequence - The CSRs were not being approved when the networkType was `Other` and set to Cilium
Fix - Set the right RBAC rules for all valid networkTypes its `Other` and not OVN
Result - RBACs are now properly configured when using a networkType `Other`

Show
Cause - Multus requires CSRs to be approved when using a networkType of `Other` in Hosted Clusters. The proper RBAC rules to allow this are only set when the the networkType was `Other` and set to Calico. Consequence - The CSRs were not being approved when the networkType was `Other` and set to Cilium Fix - Set the right RBAC rules for all valid networkTypes its `Other` and not OVN Result - RBACs are now properly configured when using a networkType `Other`
Target Version:

4.16.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

When using a custom CNI plugin in a hostedcluster, multus requires some CSRs to be approved. The component approving these CSRs is the network-node-identity. This component only gets the proper RBAC rules configured when networkType is set to Calico.

In the current implementation, there is an condition that will apply the required RBAC if the networkType is set to Calico[1].

When using other CNI plugins, like Cilium, you're supposed to set networkType to Other. With current implementation, you won't get the required RBAC in place and as such, the required CSRs won't be approved automatically.


[1] https://github.com/openshift/hypershift/blob/release-4.14/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go#L139

Version-Release number of selected component (if applicable):

Latest

How reproducible:

Always

Steps to Reproduce:

    1. Set hostedcluster.spec.networking.networkType to Other
    2. Wait for the HC to start deploying and for the Nodes to join the cluster
    3. The nodes will remain in NotReady. Multus pods will complaing about certificates not being ready.
    4. If you list CSRs you will find pending CSRs.

Actual results:

RBAC not properly configured when networkType set to Other

Expected results:

RBAC properly configured when networkType set to Other

Additional info:

Slack discussion:

https://redhat-internal.slack.com/archives/C01C8502FMM/p1704824277049609

Attachments

Issue Links

blocks

OCPBUGS-28235 Required RBAC for network-node-identity is not created when hosted cluster networkType is set to Other.

Closed

is cloned by

OCPBUGS-28235 Required RBAC for network-node-identity is not created when hosted cluster networkType is set to Other.

Closed

OCPBUGS-28249 Required RBAC for network-node-identity is not created when hosted cluster networkType is set to Other.

Closed

links to

openshift/hypershift#3403: OCPBUGS-26977: Required RBAC for network-node-identity is not created when hosted cluster networkType is set to Other.

openshift/hypershift#3405: OCPBUGS-26977,OCPBUGS-28538: Added docs to get other sdn providers deployed with agent provider

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

mentioned on

Merge request - OCM-5529 | fix: temporarily use Calico as HCP network type mapped to Other

(1 links to, 1 mentioned on)

Activity

People

Assignee:: Mario Vazquez Cebrian

Reporter:: Mario Vazquez Cebrian

QA Contact:: He Liu

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2024/01/11 9:00 AM

Updated:: 2024/02/13 3:51 PM