Skip to content

OCPBUGS-61167: pkg/types/valication: explain overlapping internal subnets better #10039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 12, 2025
Merged

OCPBUGS-61167: pkg/types/valication: explain overlapping internal subnets better #10039

merged 1 commit into from
Nov 12, 2025

Conversation

@jhixson74
Copy link
Member

@jhixson74 jhixson74 commented Oct 28, 2025

Let users know what to do when they get an overlapping subnet error.

https://issues.redhat.com/browse/OCPBUGS-61167

@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Oct 28, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Oct 28, 2025

@jhixson74: This pull request references Jira Issue OCPBUGS-61167, which is invalid:

  • expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Let users know what to do when they get an overlapping subnet error.

https://issues.redhat.com/browse/OCPBUGS-61167

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from bfournie and rna-afk October 28, 2025 23:43
@rna-afk
Copy link
Contributor

rna-afk commented Oct 29, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 29, 2025
@tthvo
Copy link
Member

tthvo commented Nov 4, 2025

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 4, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 4, 2025

@tthvo: This pull request references Jira Issue OCPBUGS-61167, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gpei

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from gpei November 4, 2025 20:59
tthvo
tthvo reviewed Nov 4, 2025
View reviewed changes
Copy link
Member

@tthvo tthvo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! I just have a small suggestion above.

The unit test is quite strict in term of expected output, so we would need to fix to expect the new error message: ci/prow/unit.

pkg/types/validation/installconfig.go Outdated
// Join subnet
if ovnsubnet, configured := getOVNSubnet(joinSubnet); !configured && validate.DoCIDRsOverlap(network, ovnsubnet) {
allErrs = append(allErrs, field.Invalid(fldPath, network.String(), fmt.Sprintf("must not overlap with OVNKubernetes default internal subnet %s", ovnsubnet.String())))
allErrs = append(allErrs, field.Invalid(fldPath, network.String(), fmt.Sprintf("must not overlap with OVNKubernetes default internal subnet %s: please run 'openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4' for further documentation", ovnsubnet.String())))
Copy link
Member

@tthvo tthvo Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this code checks for both ipv4 and ipv6:

installer/pkg/types/validation/installconfig.go

Lines 606 to 610 in 0278beb

if network.IP.To4() != nil {
subnetsCheck(validate.OVNIPv4JoinSubnet, validate.OVNIPv4TransitSubnet, validate.OVNIPv4MasqueradeSubnet)
} else {
subnetsCheck(validate.OVNIPv6JoinSubnet, validate.OVNIPv6TransitSubnet, validate.OVNIPv6MasqueradeSubnet)
}

As of now, we only have overrides for ipv4. For future proof, maybe we can use the message:

Suggested change
allErrs = append(allErrs, field.Invalid(fldPath, network.String(), fmt.Sprintf("must not overlap with OVNKubernetes default internal subnet %s: please run 'openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4' for further documentation", ovnsubnet.String())))
allErrs = append(allErrs, field.Invalid(fldPath, network.String(), fmt.Sprintf("must not overlap with OVNKubernetes default internal subnet %s. To override the OVNKubernetes defaults, configure the field 'networking.ovnKubernetesConfig'", ovnsubnet.String())))

@patrickdillon
Copy link
Contributor

patrickdillon commented Nov 10, 2025

/approve

Unit tests need to be fixed.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 10, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 10, 2025
@gpei
Copy link
Contributor

gpei commented Nov 11, 2025

With this PR, when machine network overlaps with the default OVN-Kubernetes internal subnet, the error message directs users to the proper documentation

# ./openshift-install create manifests --dir 1111/
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: networking.machineNetwork[0]: Invalid value: "100.64.50.0/24": must not overlap with OVNKubernetes default internal subnet 100.64.0.0/16: please run 'openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4' for further documentation

And the corresponding installer documentation explains the usage of internalJoinSubnet

# ./openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4
KIND:     InstallConfig
VERSION:  v1

RESOURCE: <object>
  ipv4 allows users to configure IP settings for IPv4 connections. When omitted,
this means no opinions and the default configuration is used. Check individual
fields within ipv4 for details of default values.

FIELDS:
    internalJoinSubnet <string>
      internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the
default one is being already used by something else. It must not overlap with
any other subnet being used by OpenShift or by the node network. The size of the
subnet must be larger than the number of nodes. The value cannot be changed
after installation.
The current default value is 100.64.0.0/16
The subnet must be large enough to accommodate one IP per node in your cluster
The value must be in proper IPV4 CIDR format

/verified by @gpei

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Nov 11, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 11, 2025

@gpei: This PR has been marked as verified by @gpei.

In response to this:

With this PR, when machine network overlaps with the default OVN-Kubernetes internal subnet, the error message directs users to the proper documentation

# ./openshift-install create manifests --dir 1111/
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: networking.machineNetwork[0]: Invalid value: "100.64.50.0/24": must not overlap with OVNKubernetes default internal subnet 100.64.0.0/16: please run 'openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4' for further documentation

And the corresponding installer documentation explains the usage of internalJoinSubnet

# ./openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4
KIND:     InstallConfig
VERSION:  v1

RESOURCE: <object>
 ipv4 allows users to configure IP settings for IPv4 connections. When omitted,
this means no opinions and the default configuration is used. Check individual
fields within ipv4 for details of default values.

FIELDS:
   internalJoinSubnet <string>
     internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the
default one is being already used by something else. It must not overlap with
any other subnet being used by OpenShift or by the node network. The size of the
subnet must be larger than the number of nodes. The value cannot be changed
after installation.
The current default value is 100.64.0.0/16
The subnet must be large enough to accommodate one IP per node in your cluster
The value must be in proper IPV4 CIDR format

/verified by @gpei

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 11, 2025

/retest-required

Remaining retests: 0 against base HEAD c999161 and 2 for PR HEAD 0b89eb0 in total

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 11, 2025

/retest-required

Remaining retests: 0 against base HEAD 8ecd944 and 1 for PR HEAD 0b89eb0 in total

@openshift-ci-robot openshift-ci-robot removed the verified Signifies that the PR passed pre-merge verification criteria label Nov 12, 2025
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Nov 12, 2025
tthvo
tthvo reviewed Nov 12, 2025
View reviewed changes
Copy link
Member

@tthvo tthvo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Looks good to me 👍

Just a heads up: there's currently no support for overriding IPv6 default subnets (the networking.ovnKubernetesConfig.ipv6 field isn't implemented yet). Not sure if users will find this surprising, but it is OK for me.

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 12, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 12, 2025

@jhixson74: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gpei
Copy link
Contributor

gpei commented Nov 12, 2025

Test again with the latest change.

  1. Installer will fail with error message that includes helpful guidance when machineNetwork/clusterNetwork overlaps with OVN-Kubernetes default internal subnet
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 100.64.40.0/24
  networkType: OVNKubernetes
  serviceNetwork:
  - 172.30.0.0/16

# ./openshift-install create manifests --dir 1112
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: networking.machineNetwork[0]: Invalid value: "100.64.40.0/24": must not overlap with OVNKubernetes default internal subnet 100.64.0.0/16: please run 'openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4' for further documentation

networking:
  clusterNetwork:
  - cidr: 100.64.0.0/16
    hostPrefix: 23
  machineNetwork:
  - cidr: 192.168.1.0/24
  networkType: OVNKubernetes
  serviceNetwork:
  - 172.30.0.0/16

./openshift-install create manifests --dir 1112
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: networking.clusterNetwork[0].cidr: Invalid value: "100.64.0.0/16": must not overlap with OVNKubernetes default internal subnet 100.64.0.0/16: please run 'openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4' for further documentation
  1. The suggested openshift-install explain command provides useful information
# ./openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4
KIND:     InstallConfig
VERSION:  v1

RESOURCE: <object>
  ipv4 allows users to configure IP settings for IPv4 connections. When omitted,
this means no opinions and the default configuration is used. Check individual
fields within ipv4 for details of default values.

FIELDS:
    internalJoinSubnet <string>
      internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the
default one is being already used by something else. It must not overlap with
any other subnet being used by OpenShift or by the node network. The size of the
subnet must be larger than the number of nodes. The value cannot be changed
after installation.
The current default value is 100.64.0.0/16
The subnet must be large enough to accommodate one IP per node in your cluster
The value must be in proper IPV4 CIDR format
  1. Users can successfully resolve the overlap by configuring custom OVN subnets as documented
   networking:
     clusterNetwork:
     - cidr: 162.21.0.0/16
       hostPrefix: 23
     machineNetwork:
     - cidr: 100.64.40.0/24
     networkType: OVNKubernetes
     serviceNetwork:
     - 168.30.0.0/16
     ovnKubernetesConfig:
       ipv4:
         internalJoinSubnet: 100.88.0.0/16         

# ./openshift-install create manifests --dir 1112
...

# cat 1112/manifests/cluster-network-03-config.yml
apiVersion: operator.openshift.io/v1
kind: Network
metadata:
  creationTimestamp: null
  name: cluster
spec:
  clusterNetwork:
  - cidr: 162.21.0.0/16
    hostPrefix: 23
  defaultNetwork:
    ovnKubernetesConfig:
      egressIPConfig: {}
      ipv4:
        internalJoinSubnet: 100.88.0.0/16
    type: OVNKubernetes
  disableNetworkDiagnostics: false
  managementState: Managed
  observedConfig: null
  serviceNetwork:
  - 172.30.0.0/16
  unsupportedConfigOverrides: null
status:
  readyReplicas: 0

/verified by @gpei

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Nov 12, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 12, 2025

@gpei: This PR has been marked as verified by @gpei.

In response to this:

Test again with the latest change.

  1. Installer will fail with error message that includes helpful guidance when machineNetwork/clusterNetwork overlaps with OVN-Kubernetes default internal subnet
networking:
 clusterNetwork:
 - cidr: 10.128.0.0/14
   hostPrefix: 23
 machineNetwork:
 - cidr: 100.64.40.0/24
 networkType: OVNKubernetes
 serviceNetwork:
 - 172.30.0.0/16

# ./openshift-install create manifests --dir 1112
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: networking.machineNetwork[0]: Invalid value: "100.64.40.0/24": must not overlap with OVNKubernetes default internal subnet 100.64.0.0/16: please run 'openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4' for further documentation

networking:
 clusterNetwork:
 - cidr: 100.64.0.0/16
   hostPrefix: 23
 machineNetwork:
 - cidr: 192.168.1.0/24
 networkType: OVNKubernetes
 serviceNetwork:
 - 172.30.0.0/16

./openshift-install create manifests --dir 1112
ERROR failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: invalid "install-config.yaml" file: networking.clusterNetwork[0].cidr: Invalid value: "100.64.0.0/16": must not overlap with OVNKubernetes default internal subnet 100.64.0.0/16: please run 'openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4' for further documentation
  1. The suggested openshift-install explain command provides useful information
# ./openshift-install explain installconfig.networking.ovnKubernetesConfig.ipv4
KIND:     InstallConfig
VERSION:  v1

RESOURCE: <object>
 ipv4 allows users to configure IP settings for IPv4 connections. When omitted,
this means no opinions and the default configuration is used. Check individual
fields within ipv4 for details of default values.

FIELDS:
   internalJoinSubnet <string>
     internalJoinSubnet is a v4 subnet used internally by ovn-kubernetes in case the
default one is being already used by something else. It must not overlap with
any other subnet being used by OpenShift or by the node network. The size of the
subnet must be larger than the number of nodes. The value cannot be changed
after installation.
The current default value is 100.64.0.0/16
The subnet must be large enough to accommodate one IP per node in your cluster
The value must be in proper IPV4 CIDR format
  1. Users can successfully resolve the overlap by configuring custom OVN subnets as documented
  networking:
    clusterNetwork:
    - cidr: 162.21.0.0/16
      hostPrefix: 23
    machineNetwork:
    - cidr: 100.64.40.0/24
    networkType: OVNKubernetes
    serviceNetwork:
    - 168.30.0.0/16
    ovnKubernetesConfig:
      ipv4:
        internalJoinSubnet: 100.88.0.0/16         

# ./openshift-install create manifests --dir 1112
...

# cat 1112/manifests/cluster-network-03-config.yml
apiVersion: operator.openshift.io/v1
kind: Network
metadata:
 creationTimestamp: null
 name: cluster
spec:
 clusterNetwork:
 - cidr: 162.21.0.0/16
   hostPrefix: 23
 defaultNetwork:
   ovnKubernetesConfig:
     egressIPConfig: {}
     ipv4:
       internalJoinSubnet: 100.88.0.0/16
   type: OVNKubernetes
 disableNetworkDiagnostics: false
 managementState: Managed
 observedConfig: null
 serviceNetwork:
 - 172.30.0.0/16
 unsupportedConfigOverrides: null
status:
 readyReplicas: 0

/verified by @gpei

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot openshift-merge-bot bot merged commit 8a14a07 into openshift:main Nov 12, 2025
15 checks passed
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 12, 2025

@jhixson74: Jira Issue Verification Checks: Jira Issue OCPBUGS-61167
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-61167 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

In response to this:

Let users know what to do when they get an overlapping subnet error.

https://issues.redhat.com/browse/OCPBUGS-61167

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Nov 13, 2025

Fix included in accepted release 4.21.0-0.nightly-2025-11-13-042845

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bfournie bfournie Awaiting requested review from bfournie

@rna-afk rna-afk Awaiting requested review from rna-afk

@gpei gpei Awaiting requested review from gpei

1 more reviewer

@tthvo tthvo tthvo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@rna-afk rna-afk

@tthvo tthvo

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@jhixson74 @openshift-ci-robot @rna-afk @tthvo @patrickdillon @gpei @openshift-merge-robot