Bug 2028531 - Missing netFilter to the list of parameters when platform is OpenStack
Summary: Missing netFilter to the list of parameters when platform is OpenStack
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Emilien Macchi
QA Contact: Emilien Macchi
URL:
Whiteboard:
Depends On:
Blocks: 2029867
TreeView+ depends on / blocked
 
Reported: 2021-12-02 15:07 UTC by Emilien Macchi
Modified: 2022-03-10 16:31 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2029867 (view as bug list)
Environment:
Last Closed: 2022-03-10 16:31:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github k8snetworkplumbingwg sriov-network-operator pull 210 0 None open validate: allow netFilter to be set alone in NicSelector 2021-12-02 15:44:20 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:31:55 UTC

Description Emilien Macchi 2021-12-02 15:07:06 UTC 
Description of problem:
When deploying OpenShift on OpenStack, we only need to provide the netFilter to the nicSelector in the SriovNetworkNodePolicy.

Until now, we were workarounding by disabling the webhook but this isn't clean as the webhook could really be helpful to us as well.


Version-Release number of selected component (if applicable):
4.10

How reproducible:
Create a policy like this:

apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
  name: sriov1
  namespace: openshift-sriov-network-operator
spec:
  deviceType: vfio-pci
  nicSelector:
    netFilter: openstack/NetworkID:OPENSTACK_SRIOV_NET_UUID
  nodeSelector:
    feature.node.kubernetes.io/network-sriov.capable: 'true'
  numVfs: 1
  priority: 99
  resourceName: sriov1


Actual results:
The webhook will fail with message "at least one of these parameters (vendor, deviceID, pfNames or rootDevices) has to be defined in nicSelector".

Expected results:
The webhook should accept netFilter to be enough when the platform is OpenStack.
Comment 5 Emilien Macchi 2022-01-21 21:12:12 UTC 
Verified it in our CI:
- Enable the SRIOV worker: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_release/25388/rehearse-25388-pull-ci-openshift-sriov-network-operator-release-4.10-e2e-openstack-nfv/1484603625756954624/artifacts/e2e-openstack-nfv/openstack-provision-sriov-worker/build-log.txt
- Enable the SriovNetworkNodePolicy with the webhook enabled: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_release/25388/rehearse-25388-pull-ci-openshift-sriov-network-operator-release-4.10-e2e-openstack-nfv/1484603625756954624/artifacts/e2e-openstack-nfv/openstack-provision-sriov-networknodepolicy/build-log.txt

Here we can see that the webhook is happy:
https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_release/25388/rehearse-25388-pull-ci-openshift-sriov-network-operator-release-4.10-e2e-openstack-nfv/1484603625756954624/artifacts/e2e-openstack-nfv/gather-extra/artifacts/pods/openshift-sriov-network-operator_operator-webhook-6lqd2_webhook-server.log

I'll mark it as verified if you don't mind Ziv, to save you time.
Comment 6 Ziv Greenberg 2022-01-23 06:55:38 UTC 
Thank you Emilien for verifying this BZ!

Ziv
Comment 9 errata-xmlrpc 2022-03-10 16:31:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056
Note You need to log in before you can comment on or make changes to this bug.