Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1883458: switch to CRD for rangeallocation #39

Merged
merged 2 commits into from Sep 30, 2020
Merged

Bug 1883458: switch to CRD for rangeallocation #39

merged 2 commits into from Sep 30, 2020

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented Sep 28, 2020

based on openshift/api#751

We see numerous SCC pod failures across many namespaces: openshift/origin#25544 .

In the cluster-policy-controller, we see failures about an inability to manage rangeallocations. This is because it is served as an aggregated API from openshift-apiserver. We moved SCC to a CRD, but forgot it's dependencies. This PR creates a new RangeAllocation CRD that is schematically identical to the existing one, but now in the security.internal.openshift.io group. This does two things

  1. indicates that it is internal
  2. avoids requiring kube-apiserver patches to expose the CRD. Co-locating the in same group would require this.

In 4.6, we can change to the CRD without intermediate migration. This is possible because the cluster-policy-controller runs using a leader elected lease and its first act is to reconcile the rangeallocations with the namespaces that currently exist. See

cluster-policy-controller/pkg/security/controller/namespace_scc_allocation_controller.go

Lines 92 to 95 in eda513e

if err := c.WaitForRepair(stopCh); err != nil {
// this is consistent with previous behavior
klog.Fatal(err)
}

we

  1. merge this PR
  2. vendor into cluster-config-operator
  3. add to client-go
  4. switch client in cluster-policy-controller

The change is relatively low risk.

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 28, 2020
@deads2k deads2k mentioned this pull request Sep 28, 2020
Merged
sttts
sttts reviewed Sep 28, 2020
View reviewed changes
pkg/security/controller/repair_test.go
@@ -4,6 +4,8 @@ import (
"math/big"
"testing"

securityinternalv1 "github.com/openshift/api/securityinternal/v1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

order

@sttts
Copy link
Contributor

sttts commented Sep 28, 2020

A nit.

Plus needs real bump.

/lgtm
/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 28, 2020
@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 28, 2020
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@deads2k deads2k mentioned this pull request Sep 28, 2020
Merged
@soltysh soltysh changed the title switch to CRD for rangeallocation Bug 1883458: switch to CRD for rangeallocation Sep 29, 2020
@openshift-ci-robot openshift-ci-robot added bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Sep 29, 2020
@openshift-ci-robot
Copy link
Contributor

@deads2k: This pull request references Bugzilla bug 1883458, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.6.0) matches configured target release for branch (4.6.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1883458: switch to CRD for rangeallocation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

soltysh
soltysh reviewed Sep 29, 2020
View reviewed changes
pkg/security/controller/namespace_scc_allocation_controller.go
@@ -29,7 +29,8 @@ import (
coreapi "k8s.io/kubernetes/pkg/apis/core"

securityv1 "github.com/openshift/api/security/v1"
securityv1client "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1"
securityinternalv1 "github.com/openshift/api/securityinternal/v1"
securityv1client "github.com/openshift/client-go/securityinternal/clientset/versioned/typed/securityinternal/v1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: since you're using both security and securityinternal, I'd prefer this have securityinternalv1client - long but clear it's the internal

This was referenced Sep 29, 2020
Merged
Merged
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Sep 29, 2020
@openshift-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@deads2k
Copy link
Contributor Author

deads2k commented Sep 30, 2020

/retest
/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 30, 2020
@deads2k deads2k added the lgtm Indicates that a PR is ready to be merged. label Sep 30, 2020
@deads2k
Copy link
Contributor Author

deads2k commented Sep 30, 2020

made the bump real. relabelling.

@openshift-merge-robot openshift-merge-robot merged commit 24ab454 into openshift:master Sep 30, 2020
@openshift-ci-robot
Copy link
Contributor

@deads2k: All pull requests linked via external trackers have merged:

Bugzilla bug 1883458 has been moved to the MODIFIED state.

In response to this:

Bug 1883458: switch to CRD for rangeallocation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot mentioned this pull request Oct 8, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soltysh soltysh soltysh left review comments

@sttts sttts sttts left review comments

@sanchezl sanchezl Awaiting requested review from sanchezl

Assignees

@sttts sttts

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@deads2k @sttts @openshift-ci-robot @soltysh @openshift-merge-robot