Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-30041

CCM is selecting AWS Outposts subnets when creating service LoadBalancers

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The CCM is selecting AWS Outposts subnets when creating service LoadBalancers on OpenShift clusters installed in existing VPC using subnets which AWS Outpost rack is not attached to.

For example: A cluster installed using subnets only in Zone B and C, and Outpost rack attached to Zone A, all with public subnets created, when creating a service LoadBalancer the CCM will select one subnet by zone, including the Outposts, which does not support network-based load balancers (CLB or NLB), failing to provision the CLB (or NLB) Load Balancer

To workaround, the subnet tag "kubernetes.io/cluster/unmanaged:true" ha been added to the Outpost subnets to prevent CCM selecting the Outpost subnets when creating the service LB.

      Version-Release number of selected component (if applicable):

      4.15

      How reproducible:

      always

      Steps to Reproduce:

      1. create an OCP cluster using zones different than Outpost rack is attached
2. create OP subnets, public and private, attaching it to respective route tables (for private subnets it can be attached to any private route table used in the region)
3. create a service LB with default configuration

      Actual results:

          $ oc describe svc $SVC_NAME_CLB_SB -n ${APP_NAME} | grep ^Events -A20
Events:
  Type     Reason                  Age    From                Message
  ----     ------                  ----   ----                -------
  Warning  SyncLoadBalancerFailed  4m56s  service-controller  Error syncing load balancer: failed to ensure load balancer: ValidationError: You cannot use Outposts subnets for load balancers of type 'classic'
           status code: 400, request id: 875a7b34-7d34-42e2-88c6-e52c74e85d33
  x4
  Normal   EnsuringLoadBalancer    2m18s (x6 over 4m57s)  service-controller  Ensuring load balancer
  Warning  SyncLoadBalancerFailed  2m17s                  service-controller  Error syncing load balancer: failed to ensure load balancer: ValidationError: You cannot use Outposts subnets for load balancers of type 'classic'
           status code: 400, request id: 936eb787-5d7f-4db0-9572-0b7bdf410674

      Expected results:

          Service LoadBalancer created using only Availability Zones' subnets - CCM ignoring the Outpost subnets as network-based load balancers (CLB/NLB) is not currently supported by AWS Ouposts infrastructures (from Features[1]/network/Load Balancer):
> You can provision an Application Load Balancer (ALB) to automatically distribute incoming HTTP(S) traffic across multiple targets on your Outposts rack, such as Amazon EC2 instances, containers, and IP addresses. ALB on Outposts is fully managed, operates in a single subnet, and scales automatically up to the capacity available on the Outposts rack to meet varying levels of application load without manual intervention.

[1] https://aws.amazon.com/outposts/rack/features/

      Additional info:

      - Similar issue/limitation on AWS Local Zones: https://github.com/kubernetes/cloud-provider-aws/pull/499
- Slack conversation about that theme on Outpost documentation review: 
https://redhat-internal.slack.com/archives/C06K5PQSJ2H/p1708534439499289?thread_ts=1708146721.968889&cid=C06K5PQSJ2H
https://redhat-internal.slack.com/archives/C06K5PQSJ2H/p1708962252415709?thread_ts=1708628189.022069&cid=C06K5PQSJ2H

              rh-ee-tbarberb Theo Barber-Bany
              rhn-support-mrbraga Marco Braga
              Zhaohua Sun Zhaohua Sun
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: