Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: 4.19.0
Affects Version/s: 4.19.0
Component/s: Cloud Compute / Cloud Controller Manager
Labels:
- pre-merge-tested

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Critical
Regression:
Yes

Target Backport Versions:
None
Target Version:

4.19.0
Release Blocker:
Approved
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
In Progress
Release Note Type:
Release Note Not Required
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

During AzureStack installs, both Terraform and CAPZ (WIP) based, the ingress operator goes degraded:

The "default" ingress controller reports Available=False: IngressControllerUnavailable: One or more status conditions indicate unavailable: LoadBalancerReady=False (SyncLoadBalancerFailed: The service-controller component is reporting SyncLoadBalancerFailed events like: Error syncing load balancer: failed to ensure load balancer: EnsureLoadBalancer failed due to fail to lock azure resources. This may because another component is trying to update azure resources, e.g., load balancers. This will be automatically retried by cloud provider exponentially: leases.coordination.k8s.io "aks-managed-resource-locker" is forbidden: User "system:serviceaccount:kube-system:azure-cloud-provider" cannot get resource "leases" in API group "coordination.k8s.io" in the namespace "kube-system"...

Version-Release number of selected component (if applicable):

4.19ec3

How reproducible:

    Always

Steps to Reproduce:

    1. Use WIP cloud-provider-azure fix https://github.com/openshift/cloud-provider-azure/pull/141
    2. Install to Azure Stack
    3. check ingress co

Actual results:

    Operator is degraded with rbac error above

Expected results:

    Operator is available

Additional info:

This upstream change looks related:

https://github.com/kubernetes-sigs/cloud-provider-azure/pull/7344

As mentioned in steps to reproduce, I have a WIP fix for https://issues.redhat.com/browse/OCPBUGS-51090 which then results is this bug. If RBAC is related to node labels, these two bugs could be related. I think they are separate bugs, but worth mentioning.

Our Azure Stack environment is inaccessible to CI right now due to a new security policy from the provider. The provider is meeting today to put together a plan to move forward. I am happy to facilitate or test in any way, I just don't know how to fix this bug.

Must gather attached.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

must-gather-ash.tar.gz
77.40 MB
2025/03/31 3:07 PM

links to

openshift/cluster-cloud-controller-manager-operator#387: OCPBUGS-54427: Add rbac leases rbac for cloud-provider on Azure stack hub

RHEA-2024:11038 OpenShift Container Platform 4.19.z bug fix update

Assignee:: Radek Manak

Reporter:: Patrick Dillon

Need Info From:: None

Contributors:: None

QA Contact:: Zhaohua Sun

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2025/03/31 3:07 PM

Updated:: 2025/07/14 1:26 PM

Resolved:: 2025/06/17 4:58 PM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide