Oracle Cloud Infrastructure Documentation

Troubleshooting OpenShift Container Platform on OCI

Use this section to identify and resolve common issues when deploying OpenShift clusters. on OCI.

Not Authorized to Provision Infrastructure

Condition: You receive "not authorized" error in the Resource Manager service when creating infrastructure resources using the Assisted Installer, or when manually creating resources using the Agent-based Installer.

Cause: You don't have the required IAM policies or permissions.

Remedy:

  1. For Assisted Installer, ensure that you have the policies discussed in Securing Resource Manager and Details for Resource Manager.
  2. For Agent-based Installer, ensure you have the permissions to create and manage the resources listed in the OCI Resources for the Agent-based Installer for Manual Installation topic.
  3. For both installation methods, review Managing Access to Resources.
  4. Contact your tenancy administrator if you don't administer IAM permissions.
SSH Failure for Cluster Node Access

Condition: You cannot establish an SSH connection with a cluster node.

Cause:
  • Several issues discussed in Troubleshooting the SSH Connection can prevent an SSH connection to your node.
  • An unresponsive node can also be because of problems during isntallation.
Remedy: Review the Troubleshooting the SSH Connection topic for detailed steps to diagnose and resolve the issues or you can also get the Console history for the instance and review it for potential causes.
"Insufficient" Error When Adding Node in OpenShift Console

Condition: Red Hat Hybrid Cloud console displays an "Insufficient" error message while adding nodes in OpenShift Console.

Cause: If the domain name generated during node creation isn't valid, the Red Hat Hybrid Cloud console displays an "Insufficient" error message, as shown in the following image:


An image of the OpenShift cluster details page in the Red Hat console.

Note

The error described in this section might occur while you're adding hosts to a cluster in the OpenShift Hybrid Cloud Console, as detailed in Add hosts to a cluster in the Red Hat Hybrid Cloud Console.

Remedy:

To resolve this error, do the following:

  1. Select the link named set the IP or domain used to reach the cluster. Then update the prefix of domain name to api-int from api. For example, if the string displayed is api.addnode1234multiad.my.company.com, edit the prefix section of the string as follows: api-int.addnode1234multiad.my.company.com.
  2. After you update the string, the Update button is enabled. Select the Update button to continue. The nodes' status changes to ready.
    An image of the Update cluster hostname dialog.


    An image of the Update cluster hostname dialog after the string has been edited.

Cluster Installation Fails Because of Missing Tags

Condition: The cluster fails to install or behaves unexpectedly after running the create-cluster stack.

Cause: The required tag stack (create-resource-attribution-tags) wasn't run before running the create-cluster stack.

Remedy: Before installing the cluster on OCI, download and run the create-resource-attribution-tags stack from the OpenShift on OCI Releases page on GitHub. This stack creates a tag namespace and associated defined-tags (openshift-tags and openshift-resource) that are essential for all subsequent stacks to function correctly. The create-resource-attribution-tags stack only needs to be run once. If the tag namespace and defined-tags are already created, you can directly proceed with cluster installation.
Tagging Controller Can't Apply or Restore Required OCI Tags

Condition: The required OCI instance tags are missing from the tenancy, and CCM logs show a 404 error that indicates the defined tag namespace or defined tag key wasn't found during the instance update.

Cause: The tagging controller runs in the background to apply the required OpenShift resource attribution tags, and the cluster can't complete installation if those tags are missing or inaccessible.

Remedy: Create the missing defined tag namespace and defined tag key in the OCI tenancy before the tagging controller runs again. At a minimum, ensure the required namespace and key for OpenShift tagging are present. Also, create any additional namespaces and keys expected by your CCM tag configuration, and verify the CCM has permission to use those tag namespaces. After that, allow reconciliation to run again and confirm that the tags appear on the instances.

For this case, two separate policies are needed:

  • Policy for the team or administrator creating the missing defined tags: If the namespace and key don't exist, someone must be able to create and manage tag namespaces in the tenancy. OCI tag namespaces are tenancy-level objects, and OCI doesn't create them on demand during an instance update. The admin-side policy is:
    Allow group <tag-admin-group> to manage tag-namespaces in tenancy
  • Policy for the CCM principal to apply those tags to instances To apply, update, or remove defined tags on a resource, OCI requires use access on the tag namespace. For the CCM dynamic group or instance principal, the key statement is:
    Allow dynamic-group <ccm-dynamic-group> to use tag-namespaces in tenancy
    To scope access to only the namespace used by CCM, OCI supports restricting the policy with a where clause. Because the controller updates compute instances, the CCM principal also needs permission to manage instances in the target compartment. The policy is defined as:
    Allow dynamic-group <ccm-dynamic-group> to manage instance-family in compartment <cluster-compartment>
    Recommended minimum set:
    Allow group <tag-admin-group> to manage tag-namespaces in tenancy

Allow dynamic-group <ccm-dynamic-group> to use tag-namespaces in tenancy

Allow dynamic-group <ccm-dynamic-group> to manage instance-family in compartment <cluster-compartment>