Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NotAuthorizedOrNotFound in NLB Kuberentes Ingress Controller #408

Open
passarela opened this issue Dec 7, 2022 · 1 comment
Open

NotAuthorizedOrNotFound in NLB Kuberentes Ingress Controller #408

passarela opened this issue Dec 7, 2022 · 1 comment

Comments

@passarela
Copy link

passarela commented Dec 7, 2022
edited

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

CCM Version: v1.24.0

What happened?

When using "loadBalancerIP" in the Nginx Ingress Controller manifest. LoadBalancer returns failure

What you expected to happen?

When specifying reserved IP in "loadBalancerIP" manifest, load balancer must be created with specified IP

How to reproduce it (as minimally and precisely as possible)?

  1. Create an Oracle Cloud Reserved IP

  2. Insert LoadBalancerIP into the manifest:
    kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml

apiVersion: v1
kind: Service
metadata:
  annotations:
    oci.oraclecloud.com/load-balancer-type: "nlb"
    service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
    service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10"
    service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "100"
    oci-network-load-balancer.oraclecloud.com/is-preserve-source: "true" 
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.5.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Local
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - appProtocol: http
    name: http
    port: 80
    protocol: TCP
    targetPort: http
  - appProtocol: https
    name: https
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  loadBalancerIP: MY-IP-RESERVED
  type: LoadBalancer
  1. It should return the error in NLB:
    (404, NotAuthorizedOrNotFound, false) Authorization failed or requested resource not found.
    image

Anything else we need to know?

I'm creating according documents:
https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingloadbalancer.htm#contengcreatingloadbalancer_topic_Specifying_Load_Balancer_Reservado_IP

I have full permission on my tenancy.
The Reserved IP is on the same IP as the Cluster...
If I don't specify LoadBalancerIP, the LB is successfully created!
@AkarshES
Copy link
Contributor

AkarshES commented Jan 3, 2023

It depends on how you have configured the IAM permissions for CCM. CCM should be having permission to use the reserved IP.
A policy like below might be needed for this to work. Note this example assumes you add all instances which can run CCM into a dynamic group and use instance principal based auth for CCM

ALLOW dynamic-group ccm-dynamic-group to use private-ips in TENANCY
ALLOW dynamic-group ccm-dynamic-group to manage public-ips in TENANCY

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AkarshES @passarela