Bug 1484563

Summary: You should not be able to modify metadata.generation in a DC
Product: OpenShift Container Platform Reporter: Eric Jones <erjones>
Component: MasterAssignee: Tomáš Nožička <tnozicka>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.1CC: aos-bugs, ccoleman, decarr, jokerman, mfojtik, mmccomas, wsun
Target Milestone: ---   
Target Release: 3.3.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: User can modify metadata.generation which he shouldn't be able to modify. Consequence: It can break controllers. Fix: Forbid changing metadata.generation. Result: Any changes to metadata.generation are ignored.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 22:07:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Jones 2017-08-23 21:00:35 UTC 
Description of problem:
If the metadata.generation value is lower than the status.observedGeneration the DC is no longer modifiable. The master (or master-controllers) service will log an error that the DC cannot be updated because the "status.observedGeneration cannot be decremented". 

Version-Release number of selected component (if applicable):
OCP 3.3.1

How reproducible:
100%

Steps to Reproduce:
1. oc edit dc <test_app>
2. change the metadata.generation to a lower value (for example: 5->3) and save
3. oc scale dc <test_app> --replicas=<Different_number>

Actual results:
Pod scales up/down to match the specified replicas
BUT an error message about updating the DC will appear in the master (or master-controllers) service logs and if you check `oc get dc <test_app>` it will reference the old replica number

Expected results:
metadata.generation is not changed therefore the scale and everything adjusts properly.

Additional info:
OpenShift is unable to make additional modifications to an application's DC (including scaling) if the DC's .spec.observedGeneration is greater than the .metadata.generation value. Neither of these fields are things that the user should have any reason to modify but the .metadata.generation can be modified.
Comment 2 Solly Ross 2017-08-23 21:09:04 UTC 
It seems like in general, if we never expect observedGeneration to go down, ValidateObjectMetaUpdate in Kubernetes should probably prevent `Generation` from going down as well.

I believe the error is specifically in regards to status updates -- spec-only updates seem to go through.  However, incorrect status causes issues with things which depend on status for information, such as the HPA, which consumes `status.replicas` via the scale subresource.
Comment 8 zhou ying 2017-08-31 09:32:08 UTC 
Not merged with latest OCP v3.3.1.46.16
Comment 10 zhou ying 2017-11-10 01:59:56 UTC 
Confirmed with OCP v3.3.1.46.31, now can't update the generation.
openshift v3.3.1.46.31
kubernetes v1.3.0+52492b4
etcd 2.3.0+git
Comment 13 errata-xmlrpc 2017-11-28 22:07:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188