-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.20
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
OpenShift SPLAT - Sprint 276, OpenShift SPLAT - Sprint 277, OpenShift SPLAT - Sprint 278
-
3
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
In install-config.yaml file, set dataDisks under both controlPlane and compute sections as below, installation is successful, but settings are not applied on all nodes.
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
platform:
azure:
encryptionAtHost: true
settings:
securityType: ConfidentialVM
confidentialVM:
uefiSettings:
secureBoot: Enabled
virtualizedTrustedPlatformModule: Enabled
osDisk:
securityProfile:
securityEncryptionType: VMGuestStateOnly
type: Standard_DC4ads_v5
dataDisks:
- cachingType: ReadWrite
diskSizeGB: 256
lun: 1
nameSuffix: vardisk
managedDisk:
storageAccountType: Premium_LRS
securityProfile:
securityEncryptionType: VMGuestStateOnly
diskSetup:
- type: user-defined
userDefined:
platformDiskID: vardisk
mountPath: /var
replicas: 3
controlPlane:
architecture: amd64
hyperthreading: Enabled
name: master
platform:
azure:
encryptionAtHost: false
settings:
securityType: ConfidentialVM
confidentialVM:
uefiSettings:
secureBoot: Enabled
virtualizedTrustedPlatformModule: Enabled
osDisk:
securityProfile:
securityEncryptionType: VMGuestStateOnly
type: Standard_DC8ads_v5
dataDisks:
- cachingType: ReadWrite
diskSizeGB: 256
lun: 1
nameSuffix: uddisk
managedDisk:
storageAccountType: Premium_LRS
securityProfile:
securityEncryptionType: VMGuestStateOnly
diskSetup:
- type: user-defined
userDefined:
platformDiskID: uddisk
mountPath: /var/lib/containers
replicas: 3
For master nodes, the spec in cluster api machine manifests looks correct.
$ cat 10_inframachine_jimamdisk-789cj-master-0.yaml
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
......
spec:
additionalCapabilities:
ultraSSDEnabled: false
additionalTags:
kubernetes.io_cluster.jimamdisk-789cj: owned
dataDisks:
- cachingType: ReadWrite
diskSizeGB: 256
lun: 1
managedDisk:
securityProfile:
securityEncryptionType: VMGuestStateOnly
storageAccountType: Premium_LRS
nameSuffix: uddisk
But securityProfile on created master machine is null.
$ az vm show -n jimamdisk-4bgfj-master-0 -g jimamdisk-4bgfj-rg --query storageProfile.dataDisks[].managedDisk
[
{
"diskEncryptionSet": null,
"id": "/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/jimamdisk-4bgfj-rg/providers/Microsoft.Compute/disks/jimamdisk-4bgfj-master-0_uddisk",
"resourceGroup": "jimamdisk-4bgfj-rg",
"securityProfile": null,
"storageAccountType": "Premium_LRS"
}
]
For worker nodes, after generating manifests, the spec in worker machineset manifests yaml file does not include securityProfile settings.
$ cat 99_openshift-cluster-api_worker-machineset-0.yaml
apiVersion: machine.openshift.io/v1beta1
......
spec:
......
template:
spec:
providerSpec:
value:
apiVersion: machine.openshift.io/v1beta1
credentialsSecret:
name: azure-cloud-credentials
namespace: openshift-machine-api
dataDisks:
- cachingType: ReadWrite
deletionPolicy: Delete
diskSizeGB: 256
lun: 1
managedDisk:
storageAccountType: Premium_LRS
nameSuffix: vardisk
Version-Release number of selected component (if applicable):
built from PR https://github.com/openshift/installer/pull/9706
How reproducible:
Always
Steps to Reproduce:
1. Configure dataDisk with 'VMGuestStateOnly' security encryption type
2. Install cluster
3. check each node to make sure that specified securityEncryptionType is applied
Actual results:
Specified securityEncryptionType is not applied on all nodes.
Expected results:
Specified securityEncryptionType is not applied on each node.
Additional info:
Besides above issue, when user configures dataDisks.managedDisk.securityProfile, field 'settings.securityType' under controlPlane/compute/defaultMachinePlatform should be 'ConfidentialVM' to make sure that machine is provisioned with confidentialVM security type. Otherwise, master machines will be provisioned failed with error:
WARNING Condition VMRunning has status: "False", reason: "Failed", message: "virtualmachine failed to create or update. err: failed to create or update resource jimadisk-lcp8j-rg/jimadisk-lcp8j-master-1 (service: virtualmachine): PUT https://management.azure.com/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/jimadisk-lcp8j-rg/providers/Microsoft.Compute/virtualMachines/jimadisk-lcp8j-master-1\n--------------------------------------------------------------------------------\nRESPONSE 400: 400 Bad Request\nERROR CODE: BadRequest\n--------------------------------------------------------------------------------\n{\n \"error\": {\n \"code\": \"BadRequest\",\n \"message\": \"The VM size 'Standard_DC4ads_v5' is not supported for creation of VMs and Virtual Machine Scale Set with '<NULL>' security type.\"\n }\n}
So suggest having a pre-check for this case.
