Thank you Mohammed,

It would be really good if we have a flag in template to say release floating IP instead of delete. 

Technically operator assign floating IPs to project and only that project should use them as per need instead of delete floating ips and put it back to book. 

Let’s see if we can get some eyeballs on this feature. But this is very important feature for us to control public IP usage. 


On Mon, Apr 1, 2024 at 10:16 PM Mohammed Naser <mnaser@vexxhost.com> wrote:
Hi Satish,

This is actually something that would have to be handled on the Cluster API level, since it is the one that owns that resource.

I would start raising an issue there first, if that gets traction then we can integrate that with the driver after, however, if it doesn't make sense for it to be there, we can maybe include a config flag to handle this (but I'm not sure what other implications this would have)

Thanks
Mohammed
From: Satish Patel <satish.txt@gmail.com>
Sent: April 1, 2024 10:09 PM
To: OpenStack Discuss <openstack-discuss@lists.openstack.org>
Subject: [neutron][magnum][mcapi] floating IP delete permission issue
 
Folks,

For regulatory purposes we set a neutron policy to not let normal users delete their public floating IPs because they are assigned to specific customers and we don't want them to delete them. So far that policy works. 

But now when it comes to magnum / mcapi. I am able to create a cluster but not able to delete because when magnum is going to delete floating IP I am getting an error saying you are not allowed to delete floating IP and k8s are stuck in deleting state. 

Is there any way magnum can do floating IP release instead of delete? 

Following error I am seeing in CAPI logs. 

I0402 01:50:03.412447 1 recorder.go:104] "events: Failed to delete floating IP 101.xx.xx.70: Request forbidden: [DELETE https://os2.example.com:9696/v2.0/floatingips/492b2c4c-151b-437e-acfc-4778a45cb9bf], error message: {\"NeutronError\": {\"type\": \"PolicyNotAuthorized\", \"message\": \"rule:delete_floatingip is disallowed by policy\", \"detail\": \"\"}}" type="Warning" object={"kind":"OpenStackMachine","namespace":"magnum-system","name":"kube-6aqje-csgft-nkz6s","uid":"97acabe1-e547-4bbc-8406-aebc563212cd","apiVersion":"infrastructure.cluster.x-k8s.io/v1alpha7","resourceVersion":"31170690"} reason="Faileddeletefloatingip"