Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60385

Missing Microsoft.Network/publicIPAddresses/delete permission in CCM

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • CLOUD Sprint 275, CLOUD Sprint 276, CLOUD Sprint 277
    • 3
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

          The public IP address resource in Azure is not getting cleaned up after a load balancer service 

      Version-Release number of selected component (if applicable):

          4.14+ (since the introduction of Azure workload identity integration)

      How reproducible:

          every time

      Steps to Reproduce:

          1. Create service of type loadbalancer with public IP address
          2. Delete service of type loadbalancer
          3. View public IP address that is orphaned
          4. View CCM logs that contain Authorization errors
          

      Actual results:

          Public IP address is orphaned in OCP

      Expected results:

          Public IP address is deleted after loadbalancer service deleted

      Additional info:

      apiVersion: v1
      kind: Service
      metadata:
        name: my-service
      spec:
        selector:
          app.kubernetes.io/name: MyApp
        ports:
          - protocol: TCP
            port: 80
            targetPort: 9376
        type: LoadBalancer
      
      
      
      E0811 20:53:34.562512       1 controller.go:298] error processing service default/my-service (retrying with exponential backoff): failed to ensure load balancer: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: {"error":{"code":"AuthorizationFailed","message":"The client '9da1d489-6b30-429d-acc5-8c097f9fb898' with object id '9da1d489-6b30-429d-acc5-8c097f9fb898' does not have authorization to perform action 'Microsoft.Network/publicIPAddresses/delete' over scope '/subscriptions/fe16a035-e540-4ab7-80d9-373fa9a3d6ae/resourceGroups/aro-c6axpif1/providers/Microsoft.Network/publicIPAddresses/sre-shared-miwi-clust-t2hnr-ad1e00fae809141bb95cf324f8c07f2e' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

       

              rmanak@redhat.com Radek Manak
              bvesel.openshift Ben Vesel
              None
              None
              Zhaohua Sun Zhaohua Sun
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: