Bug 1769435 - [Multus] multus-admission-controller is being too strict about requiring the "type" field
Summary: [Multus] multus-admission-controller is being too strict about requiring the ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.3.0
Assignee: Douglas Smith
QA Contact: Weibin Liang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-06 15:58 UTC by Weibin Liang
Modified: 2020-01-23 11:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-23 11:11:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0062 0 None None None 2020-01-23 11:11:31 UTC

Description Weibin Liang 2019-11-06 15:58:32 UTC 
Description of problem:
Creating net-attach-def using capability flag failed due to multus-admission-controller is being too strict about requiring the "type" field

Version-Release number of selected component (if applicable):
4.3.0-0.nightly-2019-11-02-092336

How reproducible:
Always

Steps to Reproduce:
[root@dhcp-41-193 FILE]# oc get nodes
NAME                                        STATUS   ROLES    AGE   VERSION
ip-10-0-48-239.us-east-2.compute.internal   Ready    master   30m   v1.16.2
ip-10-0-49-55.us-east-2.compute.internal    Ready    worker   22m   v1.16.2
ip-10-0-60-171.us-east-2.compute.internal   Ready    master   30m   v1.16.2
ip-10-0-67-232.us-east-2.compute.internal   Ready    master   30m   v1.16.2
ip-10-0-69-32.us-east-2.compute.internal    Ready    worker   21m   v1.16.2
[root@dhcp-41-193 FILE]# oc new-project test
Now using project "test" on server "https://api.weliang-aws2.qe.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app django-psql-example

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node

[root@dhcp-41-193 FILE]# oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/Features/multus/runtimeconfig-def-ipandmac.yaml
Error from server: error when creating "https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/Features/multus/runtimeconfig-def-ipandmac.yaml": admission webhook "multus-validating-config.k8s.io" denied the request: invalid config: error parsing configuration: missing 'type'
[root@dhcp-41-193 FILE]#

Actual results:
admission webhook "multus-validating-config.k8s.io" denied the request: invalid config: error parsing configuration: missing 'type'

Expected results:
Creating net-attach-def using capability flag should pass

Additional info:
Comment 1 Tomofumi Hayashi 2019-11-07 04:10:19 UTC 
Reproduced the issue in upstream.

----
I1107 04:00:11.552960       1 webhook.go:69] validating network config spec: { "cniVersion": "0.3.1", "plugins": [{ "type": "macvlan", "capabilities": { "ips": true }, "master": "ens5", "mode": "bridge", "ipam": { "type": "static" } }, { "type": "tuning", "capabilities": { "mac": true } }] }
I1107 04:00:11.552997       1 webhook.go:80] spec is not a valid network config list: error parsing configuration list: no name - trying to parse into standalone config
I1107 04:00:11.553038       1 webhook.go:83] spec is not a valid network config: { "cniVersion": "0.3.1", "plugins": [{ "type": "macvlan", "capabilities": { "ips": true }, "master": "ens5", "mode": "bridge", "ipam": { "type": "static" } }, { "type": "tuning", "capabilities": { "mac": true } }] }
I1107 04:00:32.288995       1 webhook.go:69] validating network config spec: { "cniVersion": "0.3.1", "plugins": [{ "type": "macvlan", "capabilities": { "ips": true }, "master": "ens5", "mode": "bridge", "ipam": { "type": "static" } }, { "type": "tuning", "capabilities": { "mac": true } }] }
I1107 04:00:32.289047       1 webhook.go:80] spec is not a valid network config list: error parsing configuration list: no name - trying to parse into standalone config
I1107 04:00:32.289067       1 webhook.go:83] spec is not a valid network config: { "cniVersion": "0.3.1", "plugins": [{ "type": "macvlan", "capabilities": { "ips": true }, "master": "ens5", "mode": "bridge", "ipam": { "type": "static" } }, { "type": "tuning", "capabilities": { "mac": true } }] }
----

From above message, admission controller trying to parse it conflist but failed due to missing 'name' field.
With '      "name": "foobar",', admission controller pass to parse it. This can be a workaround.

----
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: runtimeconfig-def
spec:
  config: '{
      "cniVersion": "0.3.1",
      "name": "foobar",
      "plugins": [{
          "type": "macvlan",
          "capabilities": { "ips": true },
          "master": "ens5",
          "mode": "bridge",
          "ipam": {
            "type": "static"
          }
        }, {
              "type": "tuning",
              "capabilities": { "mac": true }
        }]
    }'
---

So need to fix it as following:
 - adding syntax check for name in conflist
 - revisit the condition to fallback to config from conflist

Working on fix...
Comment 2 Tomofumi Hayashi 2019-11-07 05:46:09 UTC 
Upstream PR: https://github.com/k8snetworkplumbingwg/net-attach-def-admission-controller/pull/34
Comment 4 Weibin Liang 2019-11-18 14:22:35 UTC 
Tested and verified on 4.3.0-0.nightly-2019-11-18-062034
Comment 6 errata-xmlrpc 2020-01-23 11:11:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062
Note You need to log in before you can comment on or make changes to this bug.