Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-28235

Required RBAC for network-node-identity is not created when hosted cluster networkType is set to Other.

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, When using a custom Container Network Interface (CNI) plugin in a hosted cluster, role-based access control (RBAC) rules were configured only when you set the `hostedcluster.spec.networking.networkType` field to `Calico`. Role-based access control (RBAC) rules were not configured when you set the `hostedcluster.spec.networking.networkType` field to `Other`. With this release, RBAC rules are configured properly, when you set the `hostedcluster.spec.networking.networkType` field to `Other`. (link:https://issues.redhat.com/browse/OCPBUGS-28235[*OCPBUGS-28235*])

      Show
      * Previously, When using a custom Container Network Interface (CNI) plugin in a hosted cluster, role-based access control (RBAC) rules were configured only when you set the `hostedcluster.spec.networking.networkType` field to `Calico`. Role-based access control (RBAC) rules were not configured when you set the `hostedcluster.spec.networking.networkType` field to `Other`. With this release, RBAC rules are configured properly, when you set the `hostedcluster.spec.networking.networkType` field to `Other`. (link: https://issues.redhat.com/browse/OCPBUGS-28235 [* OCPBUGS-28235 *])
    • Done

      This is a clone of issue OCPBUGS-26977. The following is the description of the original issue:

      Description of problem:

      When using a custom CNI plugin in a hostedcluster, multus requires some CSRs to be approved. The component approving these CSRs is the network-node-identity. This component only gets the proper RBAC rules configured when networkType is set to Calico.

In the current implementation, there is an condition that will apply the required RBAC if the networkType is set to Calico[1].

When using other CNI plugins, like Cilium, you're supposed to set networkType to Other. With current implementation, you won't get the required RBAC in place and as such, the required CSRs won't be approved automatically.


[1] https://github.com/openshift/hypershift/blob/release-4.14/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go#L139  

      Version-Release number of selected component (if applicable):

      Latest

      How reproducible:

      Always

      Steps to Reproduce:

          1. Set hostedcluster.spec.networking.networkType to Other
    2. Wait for the HC to start deploying and for the Nodes to join the cluster
    3. The nodes will remain in NotReady. Multus pods will complaing about certificates not being ready.
    4. If you list CSRs you will find pending CSRs.

      Actual results:

      RBAC not properly configured when networkType set to Other

      Expected results:

      RBAC properly configured when networkType set to Other

      Additional info:

      Slack discussion:

https://redhat-internal.slack.com/archives/C01C8502FMM/p1704824277049609

            agarcial@redhat.com Alberto Garcia Lamela
            openshift-crt-jira-prow OpenShift Prow Bot
            He Liu He Liu
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: