Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-54763

HyperShift fails to attach nodepool additional network on OpenStack for non-admin projects

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • None
    • None
    • +
    • In Progress
    • Release Note Not Required
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      When creating a HyperShift cluster on OpenStack using the --openstack-node-additional-port flag to attach an additional network, cluster creation fails due to Neutron policy restrictions related to port security settings. The issue occurs when using a non-admin OpenStack project.

      Version-Release number of selected component (if applicable):

      - RHOS-17.1-RHEL-9-20241030.n.1
- Management Cluster (HyperShift): 4.19.0-0.nightly-2025-04-04-170728
- Hosted Cluster: 4.18.8
- hcp version:
Client Version: openshift/hypershift: 14daa753ec8409aa140bf0299fed55ea1069f389. Latest supported OCP: 4.19.0
Server Version: <unknown>
Server Supports OCP Versions: 4.19, 4.18, 4.17, 4.16, 4.15, 4.14

      How reproducible:

      Always when using a non-admin OpenStack project

      Steps to Reproduce:

      1. Create an OpenStack project and user without admin privileges
2. Run HyperShift cluster creation with additional network:
```
hcp create cluster openstack \
  --name $CLUSTER_NAME \
  [other parameters] \
  --openstack-node-additional-port "network-id:${STORAGE_NFS_NETWORK_ID},disable-port-security:true"
```
3. Observe the nodepool configuration:
```
{
  "additionalPorts": [
    {
      "network": {
        "id": "769aab27-82c5-4021-bce2-ad6a4effaa1a"
      },
      "portSecurityPolicy": "Disabled"
    }
  ],
  "flavor": "worker"
}
```
4. Check the OpenStack cluster events:
Failed to create port shiftstack-hcp-no-admin-xxxxx-1: 
Expected HTTP response code [201 202], but got 403 instead: 
{"NeutronError": {"type": "PolicyNotAuthorized", 
"message": "(rule:create_port and rule:create_port:port_security_enabled) is disallowed by policy"}}
5. The cluster remains in a failed state with worker nodes unable to start

      Actual results:

      Port creation fails due to port_security_enabled=true being explicitly set on additional ports, which is restricted by Neutron for non-admin users.

      Expected results:

      HyperShift should be able to create clusters with additional networks without requiring admin privileges, similar to how IPI deployments work.

      Workaround:

      Granting the admin role to the OpenStack project user resolved the issue:
```
openstack role add --user hostedcluster-user_no_admin --project shiftstack-hosted_cluster_no_admin admin
```
After applying the admin role, all ports were created successfully and servers launched without issues.

      Additional info:

      - This issue affects only non-admin users; with admin privileges the operation succeeds
- Faced the same issue wsing just --openstack-node-additional-port "network-id:${ID}" with no security settings
- In IPI clusters, additional networks use noAllowedAddressPairs: true which doesn't trigger this policy restriction

              emacchi@redhat.com Emilien Macchi
              rhn-support-imatza Itay Matza
              None
              Ramón Lobillo
              Itay Matza Itay Matza
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: