Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 2006145: install/0000_00_cluster-version-operator_03_deployment: Explicit kube-api-access #661

Merged
merged 1 commit into from Sep 21, 2021
Merged

Bug 2006145: install/0000_00_cluster-version-operator_03_deployment: Explicit kube-api-access #661

merged 1 commit into from Sep 21, 2021

Conversation

wking
Copy link
Member

@wking wking commented Sep 20, 2021

Backporting #660 to 4.9.

@openshift-ci openshift-ci bot added bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Sep 20, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 20, 2021

@wking: This pull request references Bugzilla bug 2006145, which is invalid:

  • expected dependent Bugzilla bug 2005581 to be in one of the following states: MODIFIED, ON_QA, VERIFIED, but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2006145: install/0000_00_cluster-version-operator_03_deployment: Explicit kube-api-access

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 20, 2021
@wking wking force-pushed the explicit-kube-api-access-volume-4.9 branch from 5548d7d to 904ad57 Compare September 21, 2021 03:23
@wking
install/0000_00_cluster-version-operator_03_deployment: Explicit kube…
35655b9 
…-api-access

This content is injected by an admission webhook [1,2].  When we
started removing not-in-manifest volumes in 83faa6e
(lib/resourcemerge/core: Remove unrecognized volumes and mounts,
2021-09-14, openshift#654), the cluster-version operator started removing the
webhook-injected volume, leading to the cluster-version operator
crash-looping on updates from 4.8 to 4.9 with messages like [3]:

  F0920 13:23:23.565439       1 start.go:24] error: error creating clients: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable

With this commit, we follow the precedent of the Kubernetes API
server's own manifest [4,5].

[1]: https://github.com/kubernetes/kubernetes/blob/2f68346fbb6246961ce0a3176418630950aea500/plugin/pkg/admission/serviceaccount/admission.go#L53-L54
[2]: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=2005581
[4]: openshift/cluster-kube-apiserver-operator#1142
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1946479
@wking wking force-pushed the explicit-kube-api-access-volume-4.9 branch from 904ad57 to 35655b9 Compare September 21, 2021 03:46
@vikaslaad
Copy link

/retest-required

@sdodson
Copy link
Member

sdodson commented Sep 21, 2021

/lgtm

@sdodson sdodson added staff-eng-approved Indicates a release branch PR has been approved by a staff engineer (formerly group/pillar lead). bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Sep 21, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 21, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sdodson, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 21, 2021
@sdodson
Copy link
Member

sdodson commented Sep 21, 2021

Upstream PR has merged and this is a blocker, so labeling for merge.

@wking
Copy link
Member Author

wking commented Sep 21, 2021

None of the previous failures look related to me. But we won't get this landed until QE verifies #660, so no harm in waiting for a

/retest

@openshift-bot
Copy link
Contributor

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@wking
Copy link
Member Author

wking commented Sep 21, 2021

Sandbox and replica/not-ready issues are unrelated.

/override ci/prow/e2e-agnostic
/override ci/prow/e2e-agnostic-upgrade

@sdodson
Copy link
Member

sdodson commented Sep 21, 2021

/override ci/prow/e2e-agnostic
/override ci/prow/e2e-agnostic-upgrade

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 21, 2021

@sdodson: Overrode contexts on behalf of sdodson: ci/prow/e2e-agnostic, ci/prow/e2e-agnostic-upgrade

In response to this:

/override ci/prow/e2e-agnostic
/override ci/prow/e2e-agnostic-upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 21, 2021

@wking: Overrode contexts on behalf of wking: ci/prow/e2e-agnostic, ci/prow/e2e-agnostic-upgrade

In response to this:

Sandbox and replica/not-ready issues are unrelated.

/override ci/prow/e2e-agnostic
/override ci/prow/e2e-agnostic-upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot openshift-merge-robot merged commit 014a66a into openshift:release-4.9 Sep 21, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 21, 2021

@wking: All pull requests linked via external trackers have merged:

Bugzilla bug 2006145 has been moved to the MODIFIED state.

In response to this:

Bug 2006145: install/0000_00_cluster-version-operator_03_deployment: Explicit kube-api-access

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wking wking deleted the explicit-kube-api-access-volume-4.9 branch September 21, 2021 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jottofar jottofar Awaiting requested review from jottofar

@LalatenduMohanty LalatenduMohanty Awaiting requested review from LalatenduMohanty

Assignees

@sdodson sdodson

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged. staff-eng-approved Indicates a release branch PR has been approved by a staff engineer (formerly group/pillar lead).
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@wking @vikaslaad @sdodson @openshift-bot @openshift-merge-robot