Bug 1968567

Summary: [OVN] Egress router pod not running and openshift.io/scc is restricted
Product: OpenShift Container Platform Reporter: Weibin Liang <weliang>
Component: NetworkingAssignee: Mohamed Mahmoud <mmahmoud>
Networking sub component: ovn-kubernetes QA Contact: Weibin Liang <weliang>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: bbennett, mmahmoud
Version: 4.8   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:11:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
CRD generated POD
none
manual created yaml none

Description Weibin Liang 2021-06-07 14:58:19 UTC 
Description of problem:

Using EgressRouter CR[1] to create EgressRouter pod, pod is created but not running state, and found openshift.io/scc: restricted when "oc get pod egress-router-cni-deployment-f8c4998d9-jppkn -o yaml"

Before v4.8, we need create NAD and EgressRouter separately, after EgressRouter is Rnning, openshift.io/scc: privileged when "oc get pod egress-router-pod -o yaml"

Not sure the setting for openshift.io/scc will cause EgressRouter pod failed.

Version-Release number of selected component (if applicable):
4.8.0-0.nightly-2021-06-03-221810

How reproducible:
Always

Steps to Reproduce:
1. oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/Features/EgressRouter/test2.yaml
2. oc get all
3. oc get pod egress-router-cni-deployment-f8c4998d9-jppkn -o yam

Actual results:
egress-router-cni-deployment-f8c4998d9-jppkn can not be Running

Expected results:
egress-router-cni-deployment-f8c4998d9-jppkn should be in Running state

Additional info:
[1] https://github.com/openshift/egress-router-cni/blob/d9d715819fda56a83b0c52f5ff59741786b3bc63/docs/content/post/cno_controller.md
Comment 1 Mohamed Mahmoud 2021-06-08 13:20:07 UTC 
Created attachment 1789379 [details]
CRD generated POD
Comment 2 Mohamed Mahmoud 2021-06-08 13:20:54 UTC 
Created attachment 1789380 [details]
manual created yaml
Comment 5 Weibin Liang 2021-06-09 23:38:33 UTC 
Tested and verified in 4.8.0-0.nightly-2021-06-09-095212

[weliang@weliang Config]$ oc get all
NAME                                READY   STATUS    RESTARTS   AGE
pod/ovn-egressrouter-redirect-pod   1/1     Running   0          4m48s
pod/test-pod-6686bd4977-4trt5       1/1     Running   0          4m29s
pod/test-pod-6686bd4977-5f4f9       1/1     Running   0          4m29s
pod/test-pod-6686bd4977-5wm2j       1/1     Running   0          4m29s
pod/test-pod-6686bd4977-l2p5q       1/1     Running   0          4m29s
pod/test-pod-6686bd4977-xx4gh       1/1     Running   0          4m29s
pod/test-pod-6686bd4977-zxn4f       1/1     Running   0          4m29s

NAME                                    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/ovn-egressrouter-redirect-svc   ClusterIP   172.30.222.10   <none>        80/TCP    4m35s

NAME                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/test-pod   6/6     6            6           4m30s

NAME                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/test-pod-6686bd4977   6         6         6       4m30s
[weliang@weliang Config]$
Comment 8 errata-xmlrpc 2021-07-27 23:11:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438