Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-28249

Required RBAC for network-node-identity is not created when hosted cluster networkType is set to Other.


    • No
    • False
    • Hide



      This is a clone of issue OCPBUGS-26977. The following is the description of the original issue:

      Description of problem:

      When using a custom CNI plugin in a hostedcluster, multus requires some CSRs to be approved. The component approving these CSRs is the network-node-identity. This component only gets the proper RBAC rules configured when networkType is set to Calico.
      In the current implementation, there is an condition that will apply the required RBAC if the networkType is set to Calico[1].
      When using other CNI plugins, like Cilium, you're supposed to set networkType to Other. With current implementation, you won't get the required RBAC in place and as such, the required CSRs won't be approved automatically.
      [1] https://github.com/openshift/hypershift/blob/release-4.14/control-plane-operator/controllers/hostedcontrolplane/cno/clusternetworkoperator.go#L139   

      Version-Release number of selected component (if applicable):


      How reproducible:


      Steps to Reproduce:

          1. Set hostedcluster.spec.networking.networkType to Other
          2. Wait for the HC to start deploying and for the Nodes to join the cluster
          3. The nodes will remain in NotReady. Multus pods will complaing about certificates not being ready.
          4. If you list CSRs you will find pending CSRs.

      Actual results:

      RBAC not properly configured when networkType set to Other

      Expected results:

      RBAC properly configured when networkType set to Other

      Additional info:

      Slack discussion:

            agarcial@redhat.com Alberto Garcia Lamela
            openshift-crt-jira-prow OpenShift Prow Bot
            He Liu He Liu
            0 Vote for this issue
            6 Start watching this issue