Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-5491

[Azure] EgressIP cannot be applied to the egress node on Azure private cluster

XMLWordPrintable

    • Important
    • None
    • SDN Sprint 230, SDN Sprint 236, SDN Sprint 237, SDN Sprint 238, SDN Sprint 239, SDN Sprint 241, SDN Sprint 242, SDN Sprint 243
    • 8
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, there was a limitation in private Microsoft Azure clusters where secondary IP addresses designated as egress IP addresses lacked outbound connectivity. This meant that pods associated with these IP addresses were unable to access the internet. However, they could still reach external servers within the infrastructure network, which is the intended use case for egress IP addresses. This update enables egress IP addresses for Microsoft Azure clusters, allowing outbound connectivity to be achieved through outbound rules. (link:https://issues.redhat.com/browse/OCPBUGS-5491[*OCPBUGS-5491*])
      Show
      * Previously, there was a limitation in private Microsoft Azure clusters where secondary IP addresses designated as egress IP addresses lacked outbound connectivity. This meant that pods associated with these IP addresses were unable to access the internet. However, they could still reach external servers within the infrastructure network, which is the intended use case for egress IP addresses. This update enables egress IP addresses for Microsoft Azure clusters, allowing outbound connectivity to be achieved through outbound rules. (link: https://issues.redhat.com/browse/OCPBUGS-5491 [* OCPBUGS-5491 *])
    • Bug Fix
    • Done

      Description of problem:

      The issue was found in ci, and it is an Azure private cluster, all the egressIP cases failed due to  EgressIP cannot be applied to the egress node. It was able to be reproduced manually. 
      
      

      Version-Release number of selected component (if applicable):

      4.12.0-0.nightly-2023-01-08-142418
      
      

      How reproducible:

      Always
      
      

      Steps to Reproduce:

      1. Label one worker node as egress node
      2. Create one egressIP object
      3.
      

      Actual results:

      % oc get egressip
      NAME             EGRESSIPS    ASSIGNED NODE   ASSIGNED EGRESSIPS
      egressip-2       10.0.1.10                    
      egressip-47164   10.0.1.217 
      
      % oc get cloudprivateipconfig 
      NAME         AGE
      10.0.1.10    18m
      10.0.1.217   22m
      % oc get cloudprivateipconfig  -o yaml
      apiVersion: v1
      items:
      - apiVersion: cloud.network.openshift.io/v1
        kind: CloudPrivateIPConfig
        metadata:
          annotations:
            k8s.ovn.org/egressip-owner-ref: egressip-2
          creationTimestamp: "2023-01-09T10:11:33Z"
          finalizers:
          - cloudprivateipconfig.cloud.network.openshift.io/finalizer
          generation: 1
          name: 10.0.1.10
          resourceVersion: "59723"
          uid: d697568a-7d7c-471a-b5e1-d7b814244549
        spec:
          node: huirwang-0109b-bv4ld-worker-eastus1-llmpb
        status:
          conditions:
          - lastTransitionTime: "2023-01-09T10:17:06Z"
            message: 'Error processing cloud assignment request, err: network.InterfacesClient#CreateOrUpdate:
              Failure sending request: StatusCode=0 -- Original Error: Code="OutboundRuleCannotBeUsedWithBackendAddressPoolThatIsReferencedBySecondaryIpConfigs"
              Message="OutboundRule /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/loadBalancers/huirwang-0109b-bv4ld/outboundRules/outbound-rule-v4
              cannot be used with Backend Address Pool /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/loadBalancers/huirwang-0109b-bv4ld/backendAddressPools/huirwang-0109b-bv4ld
              that contains Secondary IPConfig /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/networkInterfaces/huirwang-0109b-bv4ld-worker-eastus1-llmpb-nic/ipConfigurations/huirwang-0109b-bv4ld-worker-eastus1-llmpb_10.0.1.10"
              Details=[]'
            observedGeneration: 1
            reason: CloudResponseError
            status: "False"
            type: Assigned
          node: huirwang-0109b-bv4ld-worker-eastus1-llmpb
      - apiVersion: cloud.network.openshift.io/v1
        kind: CloudPrivateIPConfig
        metadata:
          annotations:
            k8s.ovn.org/egressip-owner-ref: egressip-47164
          creationTimestamp: "2023-01-09T10:07:56Z"
          finalizers:
          - cloudprivateipconfig.cloud.network.openshift.io/finalizer
          generation: 1
          name: 10.0.1.217
          resourceVersion: "58333"
          uid: 6a7d6196-cfc9-4859-9150-7371f5818b74
        spec:
          node: huirwang-0109b-bv4ld-worker-eastus1-llmpb
        status:
          conditions:
          - lastTransitionTime: "2023-01-09T10:13:29Z"
            message: 'Error processing cloud assignment request, err: network.InterfacesClient#CreateOrUpdate:
              Failure sending request: StatusCode=0 -- Original Error: Code="OutboundRuleCannotBeUsedWithBackendAddressPoolThatIsReferencedBySecondaryIpConfigs"
              Message="OutboundRule /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/loadBalancers/huirwang-0109b-bv4ld/outboundRules/outbound-rule-v4
              cannot be used with Backend Address Pool /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/loadBalancers/huirwang-0109b-bv4ld/backendAddressPools/huirwang-0109b-bv4ld
              that contains Secondary IPConfig /subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/huirwang-0109b-bv4ld-rg/providers/Microsoft.Network/networkInterfaces/huirwang-0109b-bv4ld-worker-eastus1-llmpb-nic/ipConfigurations/huirwang-0109b-bv4ld-worker-eastus1-llmpb_10.0.1.217"
              Details=[]'
            observedGeneration: 1
            reason: CloudResponseError
            status: "False"
            type: Assigned
          node: huirwang-0109b-bv4ld-worker-eastus1-llmpb
      kind: List
      metadata:
        resourceVersion: ""
      

      Expected results:

      EgressIP can be applied correctly
      
      

      Additional info:

      
      

              rravaiol@redhat.com Riccardo Ravaioli
              huirwang Huiran Wang
              Huiran Wang Huiran Wang
              Votes:
              4 Vote for this issue
              Watchers:
              22 Start watching this issue

                Created:
                Updated:
                Resolved: