Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: 4.20.z
Affects Version/s: 4.20, 4.21
Component/s: HyperShift
Labels:
- pre-merge-tested
- pre-merge-verified

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:

4.20.z
Target Version:

4.21.0
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Before this update, HostedCluster failed due to an invalid API server service with LoadBalancerSourceRanges when allowedCIDRBlocks, externalDns, and publicAndPrivate were set. As a consequence, a control plane failure occurred due to an invalid API server service configuration. With this release, the issue with API server service invalidity when setting allowedCIDRBlocks field with externalDns and publicAndPrivate is fixed. As a result, the control plane does not fail when setting the `allowedCIDRBlocks` field with the `externalDns` and `publicAndPrivate` parameters. (link:https://issues.redhat.com/browse/OCPBUGS-66067[~~OCPBUGS-66067~~])

*Cause*: When a HyperShift HostedCluster uses external DNS domains and endpoint access with PublicAndPrivate, the `allowedCIDRBlocks` parameters were wrongly applied , the controll plane opeator run with error.
*Consequence*: The controll plane opeator run with error.
*Fix*: when hc.spec.allowedCIDRBlocks is set, only set LoadBalancerSourceRanges filed on KAS service when service is of type LoadBalancer.
*Result*: The controll-plane operator run well.

Show
* Before this update, HostedCluster failed due to an invalid API server service with LoadBalancerSourceRanges when allowedCIDRBlocks, externalDns, and publicAndPrivate were set. As a consequence, a control plane failure occurred due to an invalid API server service configuration. With this release, the issue with API server service invalidity when setting allowedCIDRBlocks field with externalDns and publicAndPrivate is fixed. As a result, the control plane does not fail when setting the `allowedCIDRBlocks` field with the `externalDns` and `publicAndPrivate` parameters. (link: https://issues.redhat.com/browse/OCPBUGS-66067 [ OCPBUGS-66067 ]) *Cause*: When a HyperShift HostedCluster uses external DNS domains and endpoint access with PublicAndPrivate, the `allowedCIDRBlocks` parameters were wrongly applied , the controll plane opeator run with error. *Consequence*: The controll plane opeator run with error. *Fix*: when hc.spec.allowedCIDRBlocks is set, only set LoadBalancerSourceRanges filed on KAS service when service is of type LoadBalancer. *Result*: The controll-plane operator run well.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Setting allowedCIDRBlocks field + with externalDns + publicAndPrivate, the controll-plane failed with error :

"failed to update control plane: failed to ensure infrastructure: failed to reconcile API server service: failed to reconcile API server service: Service \"kube-apiserver\" is invalid: spec.LoadBalancerSourceRanges: Forbidden: may only be used when `type` is 'LoadBalancer

Version-Release number of selected component (if applicable):

    HyperShift 4.20

How reproducible:

    Always

Steps to Reproduce:

1. Create hypershift operator with  External DNS Domain:

 `./bin/hypershift install  --oidc-storage-provider-s3-bucket-name $BUCKET_NAME   --oidc-storage-provider-s3-credentials $AWS_CREDS   --oidc-storage-provider-s3-region $REGION   --enable-defaulting-webhook true --external-dns-credentials $AWS_CREDS --external-dns-provider=aws --external-dns-domain-filter=hypershift-ext.qe.devcluster.openshift.com --private-platform=AWS --platform-monitoring=All --wait-until-available  --aws-private-creds $AWS_CREDS  --aws-private-region=us-west-2`  


2. Create a HostedCluster with External DNS Domain on AWS platform and set endpoint-access as PublicAndPrivate

  `./bin/hypershift create cluster aws --name yinzhou-hc-63509n1  --node-pool-replicas=2   --base-domain $BASE_DOMAIN   --pull-secret $PULL_SECRET   --aws-creds $AWS_CREDS   --region $REGION   --generate-ssh   --external-dns-domain hypershift-ext.qe.devcluster.openshift.com   --release-image ${RELEASE_IMAGE}  --endpoint-access PublicAndPrivate`

  
3. Setting  allowedCIDRBlocks field in the HostedCluster.

Actual results:

3. The hosted cluster failed to launch with error : 
"failed to update control plane: failed to ensure infrastructure: failed to reconcile API server service: failed to reconcile API server service: Service \"kube-apiserver\" is invalid: spec.LoadBalancerSourceRanges: Forbidden: may only be used when `type` is 'LoadBalancer

Expected results:

3. no issue.

Additional info:

blocks

OCPBUGS-66397 Setting allowedCIDRBlocks field + with externalDns + publicAndPrivate will hit error

Closed

is cloned by

OCPBUGS-66397 Setting allowedCIDRBlocks field + with externalDns + publicAndPrivate will hit error

Closed

links to

openshift/hypershift#7298: OCPBUGS-66067: fix(kas): apply LoadBalancerSourceRanges only for LoadBalancer service type

Assignee:: Mulham Raee

Reporter:: Ying Zhou

Need Info From:: None

Contributors:: None

QA Contact:: Ying Zhou

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/11/26 12:57 PM

Updated:: 2026/02/10 10:02 AM

Resolved:: 2026/02/10 10:02 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates