Bug 2028531

Summary: Missing netFilter to the list of parameters when platform is OpenStack
Product: OpenShift Container Platform Reporter: Emilien Macchi <emacchi>
Component: NetworkingAssignee: Emilien Macchi <emacchi>
Networking sub component: SR-IOV QA Contact: Emilien Macchi <emacchi>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: zgreenbe, zshi
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2029867 (view as bug list) Environment:
Last Closed: 2022-03-10 16:31:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2029867    

Description Emilien Macchi 2021-12-02 15:07:06 UTC 
Description of problem:
When deploying OpenShift on OpenStack, we only need to provide the netFilter to the nicSelector in the SriovNetworkNodePolicy.

Until now, we were workarounding by disabling the webhook but this isn't clean as the webhook could really be helpful to us as well.


Version-Release number of selected component (if applicable):
4.10

How reproducible:
Create a policy like this:

apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
  name: sriov1
  namespace: openshift-sriov-network-operator
spec:
  deviceType: vfio-pci
  nicSelector:
    netFilter: openstack/NetworkID:OPENSTACK_SRIOV_NET_UUID
  nodeSelector:
    feature.node.kubernetes.io/network-sriov.capable: 'true'
  numVfs: 1
  priority: 99
  resourceName: sriov1


Actual results:
The webhook will fail with message "at least one of these parameters (vendor, deviceID, pfNames or rootDevices) has to be defined in nicSelector".

Expected results:
The webhook should accept netFilter to be enough when the platform is OpenStack.
Comment 5 Emilien Macchi 2022-01-21 21:12:12 UTC 
Verified it in our CI:
- Enable the SRIOV worker: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_release/25388/rehearse-25388-pull-ci-openshift-sriov-network-operator-release-4.10-e2e-openstack-nfv/1484603625756954624/artifacts/e2e-openstack-nfv/openstack-provision-sriov-worker/build-log.txt
- Enable the SriovNetworkNodePolicy with the webhook enabled: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_release/25388/rehearse-25388-pull-ci-openshift-sriov-network-operator-release-4.10-e2e-openstack-nfv/1484603625756954624/artifacts/e2e-openstack-nfv/openstack-provision-sriov-networknodepolicy/build-log.txt

Here we can see that the webhook is happy:
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_release/25388/rehearse-25388-pull-ci-openshift-sriov-network-operator-release-4.10-e2e-openstack-nfv/1484603625756954624/artifacts/e2e-openstack-nfv/gather-extra/artifacts/pods/openshift-sriov-network-operator_operator-webhook-6lqd2_webhook-server.log

I'll mark it as verified if you don't mind Ziv, to save you time.
Comment 6 Ziv Greenberg 2022-01-23 06:55:38 UTC 
Thank you Emilien for verifying this BZ!

Ziv
Comment 9 errata-xmlrpc 2022-03-10 16:31:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056