-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.19
-
Quality / Stability / Reliability
-
False
-
-
None
-
Critical
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
OCP-36891 failed running on a AKS HCP cluster(https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/pr-logs/pull/openshift_release/63960/rehearse-63960-periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-azure-aks-hypershift-ephemeral-creds-guest-f7/1917607720215646208), reran it, after updating the ingresscontroller's scope from External to Internal(or Internal to External), the load balancer service's lb ip wasn't updated in one test(please refer to the comment by Shudi Li added a comment - 2025/05/08 6:23 AM, thanks.)
Version-Release number of selected component (if applicable):
How reproducible:
100%
Steps to Reproduce:
1. run the case or try to create an internal ingresscontroller.
2. check the lb service, the EXTERNAL-IP was pending
% oc -n openshift-ingress get svc router-ocp36891
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
router-ocp36891 LoadBalancer 172.31.90.59 <pending> 80:30948/TCP,443:31586/TCP 2m8s
3. check the custom ingresscontroller, there was an error code of "AuthorizationFailed"
%oc -n openshift-ingress-operator get ingresscontroller ocp36891 -oyaml
...
- lastTransitionTime: "2025-05-07T11:17:18Z"
message: |-
The service-controller component is reporting SyncLoadBalancerFailed events like: Error syncing load balancer: failed to ensure load balancer: DELETE https://management.azure.com/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/ci-op-l1bhc39r-96339-rg/providers/Microsoft.Network/publicIPAddresses/1ad8bbf4832ac6adba5b-v7cwp-a45bd18b5bcd949c38eea35770559a82
--------------------------------------------------------------------------------
RESPONSE 403: 403 Forbidden
ERROR CODE: AuthorizationFailed
--------------------------------------------------------------------------------
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '38bf9beb-0a28-4e9a-a217-e274e86f6922' with object id '38bf9beb-0a28-4e9a-a217-e274e86f6922' does not have authorization to perform action 'Microsoft.Network/publicIPAddresses/delete' over scope '/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/ci-op-l1bhc39r-96339-rg/providers/Microsoft.Network/publicIPAddresses/1ad8bbf4832ac6adba5b-v7cwp-a45bd18b5bcd949c38eea35770559a82' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
--------------------------------------------------------------------------------
The cloud-controller-manager logs may contain more details.
reason: SyncLoadBalancerFailed
status: "False"
type: LoadBalancerReady
4.
% oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.19.0-0.nightly-2025-05-06-051838 True False 170m Cluster version is 4.19.0-0.nightly-2025-05-06-051838
Actual results:
EXTERNAL-IP of the lb service was pending
Expected results:
OCP-36891 could run successfully: the lb service of the internal ingresscontroller could retrieve a LB ip, then update the scope of ingresscontroller from internal to external, it also could retrieve an external lb ip.
Additional info: