Bug 1428934

Summary: Reserve kube[-*] and openshift[-*] namespaces
Product: OpenShift Container Platform Reporter: David Eads <deads>
Component: Cluster Version OperatorAssignee: Scott Dodson <sdodson>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: anli, aos-bugs, deads, jliggitt, jokerman, mkhan, mmccomas, twiest, vjaypurk
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-10 05:18:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Eads 2017-03-03 16:14:53 UTC 
Upstream is reserving kube-* namespaces (kube-system and kube-public are notably already used).  We should do the same with openshift[-*] namespaces.

We need to prevent an upgrade to make sure we don't bump to a level that gives power to a namespace a user previously requested as their own.  This allows us to further restrict the set of namespaces to those that have the "openshift.io/requester" annotation set.

There is an open pull to add a check (https://github.com/openshift/openshift-ansible/pull/3535), but that needs wiring to prevent upgrades until those namespaces are resolved.
Comment 1 Scott Dodson 2017-05-09 13:02:47 UTC 
This is done.
Comment 3 Anping Li 2017-05-12 03:17:34 UTC 
What is the expected result about this feature in upgrade?  1 or 2?

1. upgrade abort when there are project named kube-xxx or openshift-xxx
2. OCP 3.6 don't allow the project named kube-xxx or openshift-xxx


[root@openshift-214 ~]# oc new-project kube-test1
Error from server (Forbidden): project.project.openshift.io "kube-test1" is forbidden: cannot request a project starting with "kube-"
[root@openshift-214 ~]# oc new-project openshift-test1
Error from server (Forbidden): project.project.openshift.io "openshift-test1" is forbidden: cannot request a project starting with "openshift-"
Comment 4 Mo 2017-05-12 04:22:05 UTC 
Both.

We do not let you upgrade from 3.5 to 3.6 with projects that violate this requirement.  The API server did not prevent their creation in 3.5.

In 3.6 the API server prevents their creation.
Comment 8 Anping Li 2017-05-15 01:25:24 UTC 
In OCP 3.5. I create project via 'oc new-project kube-test' & 'oc new-project openshift-test'.

After upgrade to OCP-3.6. I got the following message. 
[root@openshift-214 ~]# oc new-project kube-test1
Error from server (Forbidden): project.project.openshift.io "kube-test1" is forbidden: cannot request a project starting with "kube-"
[root@openshift-214 ~]# oc new-project openshift-test1
Error from server (Forbidden): project.project.openshift.io "openshift-test1" is forbidden: cannot request a project starting with "openshift-"


I had expected the upgrade abort  as there are projects kube-test and openshift-test. But It didn't abort. 

Can you confirm the requirement in comment4 again?  Shall we abort the upgrade playbook if there are projects named like 'kube-xx' and 'openshift-xxx' when we upgrade from v3.5 to 3.6?
Comment 9 Scott Dodson 2017-05-15 13:14:43 UTC 
We'd only included the validator in 3.5 playbook. I'll move it to ensure it's included on all upgrade playbooks.
Comment 11 Anping Li 2017-06-02 12:44:38 UTC 
Openshift-ansible v3.6.92 works as expected. 

TASK [Check for invalid namespaces and SDN errors] *****************************
fatal: [openshift-214.lab.eng.nay.redhat.com]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "results": {
        "namespaces that use reserved names and were not created by infrastructure components": [
            {
                "apiVersion": "v1", 
                "kind": "Namespace", 
                "metadata": {
                    "annotations": {
                        "openshift.io/description": "", 
                        "openshift.io/display-name": "", 
                        "openshift.io/requester": "system:admin", 
                        "openshift.io/sa.scc.mcs": "s0:c9,c4", 
                        "openshift.io/sa.scc.supplemental-groups": "1000080000/10000", 
                        "openshift.io/sa.scc.uid-range": "1000080000/10000"
                    }, 
                    "creationTimestamp": "2017-06-02T10:25:55Z", 
                    "name": "kube-test", 
                    "namespace": "", 
                    "resourceVersion": "3344", 
                    "selfLink": "/api/v1/namespaceskube-test", 
                    "uid": "dc505d60-477d-11e7-802e-fa163e66ca8d"
                }, 
                "spec": {
                    "finalizers": [
                        "openshift.io/origin", 
                        "kubernetes"
                    ]
                }, 
                "status": {
                    "phase": "Active"
                }
            }, 
            {
                "apiVersion": "v1", 
                "kind": "Namespace", 
                "metadata": {
                    "annotations": {
                        "openshift.io/description": "", 
                        "openshift.io/display-name": "", 
                        "openshift.io/requester": "system:admin", 
                        "openshift.io/sa.scc.mcs": "s0:c8,c7", 
                        "openshift.io/sa.scc.supplemental-groups": "1000070000/10000", 
                        "openshift.io/sa.scc.uid-range": "1000070000/10000"
                    }, 
                    "creationTimestamp": "2017-06-02T10:25:48Z", 
                    "name": "openshift-test", 
                    "namespace": "", 
                    "resourceVersion": "3306", 
                    "selfLink": "/api/v1/namespacesopenshift-test", 
                    "uid": "d8923248-477d-11e7-802e-fa163e66ca8d"
                }, 
                "spec": {
                    "finalizers": [
                        "openshift.io/origin", 
                        "kubernetes"
                    ]
                }, 
                "status": {
                    "phase": "Active"
                }
            }
        ]
    }, 
    "state": "list"
}

MSG:

All objects are not valid.  If you are a supported customer please contact Red Hat Support providing the complete output above. If you are not a customer please contact users.redhat.com for assistance.
	to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_6/upgrade.retry

PLAY RECAP *********************************************************************
localhost                  : ok=13   changed=0    unreachable=0    failed=0
Comment 13 errata-xmlrpc 2017-08-10 05:18:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716