oci-cloud-controller-manager icon indicating copy to clipboard operation
oci-cloud-controller-manager copied to clipboard
verified publisher icon oracle

NotAuthorizedOrNotFound in NLB Kuberentes Ingress Controller

Open passarela opened this issue 3 years ago • 1 comments

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

CCM Version: v1.24.0

What happened?

When using "loadBalancerIP" in the Nginx Ingress Controller manifest. LoadBalancer returns failure

What you expected to happen?

When specifying reserved IP in "loadBalancerIP" manifest, load balancer must be created with specified IP

How to reproduce it (as minimally and precisely as possible)?

  1. Create an Oracle Cloud Reserved IP

  2. Insert LoadBalancerIP into the manifest: kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml

apiVersion: v1
kind: Service
metadata:
  annotations:
    oci.oraclecloud.com/load-balancer-type: "nlb"
    service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
    service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10"
    service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "100"
    oci-network-load-balancer.oraclecloud.com/is-preserve-source: "true" 
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Local
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - appProtocol: http
    name: http
    port: 80
    protocol: TCP
    targetPort: http
  - appProtocol: https
    name: https
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  loadBalancerIP: MY-IP-RESERVED
  type: LoadBalancer
  1. It should return the error in NLB: (404, NotAuthorizedOrNotFound, false) Authorization failed or requested resource not found. image

Anything else we need to know?

I'm creating according documents: https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingloadbalancer.htm#contengcreatingloadbalancer_topic_Specifying_Load_Balancer_Reservado_IP

I have full permission on my tenancy. The Reserved IP is on the same IP as the Cluster... If I don't specify LoadBalancerIP, the LB is successfully created!

passarela avatar Dec 07 '22 13:12 passarela

It depends on how you have configured the IAM permissions for CCM. CCM should be having permission to use the reserved IP. A policy like below might be needed for this to work. Note this example assumes you add all instances which can run CCM into a dynamic group and use instance principal based auth for CCM

ALLOW dynamic-group ccm-dynamic-group to use private-ips in TENANCY
ALLOW dynamic-group ccm-dynamic-group to manage public-ips in TENANCY

AkarshES avatar Jan 03 '23 04:01 AkarshES