Kubernetes on OpenStack cannot successfully create loadbalancers when running as a non cloud admin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kubernetes Control Plane Charm |
Fix Released
|
High
|
Cory Johns | ||
Openstack Integrator Charm |
Fix Released
|
High
|
Cory Johns |
Bug Description
We are using Kubernetes 1.14 deployed via CDK charms (master: cs:~containers/
Our openstack integrator is configured with credentials (i.e. not using juju trust). Importantly, the project-name config value is not the OpenStack admin project but a management project (and in other scenarios will be a customer project).
OpenStack is Rocky with Octavia - latest charms.
We can stand up load balancers in OpenStack via CLI fine however, we get failures when standing these up from K8S. This is the error:
Every 2.0s: kubectl describe service ohc-mgmt-
Name:ohc-
Namespace:
Labels:app=grafana
chart=grafana-3.7.3
heritage=Tiller
release=
Annotations:<none>
Selector:
Type:LoadBalancer
IP:10.152.183.187
Port:service 80/TCP
TargetPort:3000/TCP
NodePort:service 32470/TCP
Endpoints:
Session Affinity:None
External Traffic Policy: Cluster
Events:
Type ReasonAgeFromMe
---- -------
Normal EnsuringLoadBal
Warning CreatingLoadBal
ana: Error occurred updating port 10db85cd-
We have hacked some of the neutron code to spit out better log messages, and we get the following when this happens:
2019-08-13 22:24:37.633 1863379 INFO neutron.
7508ce29803] Security group ccb5f7b0-
2019-08-13 22:24:37.634 1863379 INFO neutron.
7508ce29803] PUT failed (client error): The resource could not be found.
This security group refers to the Octavia created security group for the FIP which is created in the services_
Kubernetes therefore aborts the load balancer, issues a delete and tears it back down again. See the code in the OpenStack Cloud Provider here - https:/
This looks very similar to this bug https:/
We have confirmed that the management project user cannot see the octavia generated security group as an "openstack security group show xxxx" of the lb-* security group Octavia created fails with the similar error that K8s Gets ("Error while executing command: No SecurityGroup found for 9bede94a-
This *may* be fixed by the external cloud provider code as we note the code is different and does not try to create a security group on the VIP if Octavia is detected, however we have not tested this.
Changed in charm-kubernetes-master: | |
importance: | Undecided → High |
Changed in charm-openstack-integrator: | |
importance: | Undecided → High |
Changed in charm-kubernetes-master: | |
milestone: | none → 1.15+ck2 |
Changed in charm-openstack-integrator: | |
milestone: | none → 1.15+ck2 |
Changed in charm-kubernetes-master: | |
milestone: | 1.15+ck2 → 1.16 |
Changed in charm-openstack-integrator: | |
milestone: | 1.15+ck2 → 1.16 |
milestone: | 1.16 → none |
Changed in charm-kubernetes-master: | |
status: | Fix Committed → Fix Released |
From looking at the code, the edge charms set a flag in the cloud-provider config files that says that Octavia is used as the lbaas. The logic is then different for Octavia vs non-Octavia Lbaas and skips the security group issue we are having .... or at least that's the theory as i can't get them to work!
See: https:/ /github. com/charmed- kubernetes/ layer-kubernete s-common/ blame/master/ lib/charms/ layer/kubernete s_common. py#L456
and how the logic in the openstack cloud provider is linked to this:
https:/ /github. com/kubernetes/ cloud-provider- openstack/ blame/release- 1.14/pkg/ cloudprovider/ providers/ openstack/ openstack_ loadbalancer. go#L1441