Bug 1905299: fix(olm): Verify ServiceAccount ownership before installing deployment #1904
Conversation
openshift-ci-robot
added
bugzilla/severity-medium
|
@dinhxuanvu: This pull request references Bugzilla bug 1905299, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
dinhxuanvu
force-pushed
the
sa-csv-check
branch
from
dcacc95
to
7a83f3b
Compare
Currently, there is a timing during upgrade, the new SA is not yet being created but the deployment is successfully updated and the new pod is coming up using the old SA. As a result, the pod fails to succeed due to permission failure. When CSV is in Pending state, a permission and requirement check list is performed. A check for SA ownership is added to that check list to verify if new SA is in place before moving CSV to Installing state. If new SA is not yet in place, CSV can continue to be Pending which will prevent the deployment to be created/updated. Signed-off-by: Vu Dinh <vdinh@redhat.com>
dinhxuanvu
force-pushed
the
sa-csv-check
branch
from
7a83f3b
to
904003a
Compare
|
/retest |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: benluddy, dinhxuanvu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest |
|
@dinhxuanvu: All pull requests linked via external trackers have merged: Bugzilla bug 1905299 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.6 |
|
@dinhxuanvu: new pull request created: #1907 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Currently, there is a timing during upgrade, the new SA is not yet being
created but the deployment is successfully updated and the new pod
is coming up using the old SA. As a result, the pod fails to succeed
due to permission failure.
When CSV is in Pending state, a permission and requirement check list
is performed. A check for SA ownership is added to that check list
to verify if new SA is in place before moving CSV to Installing state.
If new SA is not yet in place, CSV can continue to be Pending which
will prevent the deployment to be created/updated.
Signed-off-by: Vu Dinh vdinh@redhat.com
Description of the change:
Motivation for the change:
Reviewer Checklist
/docs