Bug 1485375

Summary: [DOCS] Invalid objects can cause quota resources for a project to become exhausted.
Product: OpenShift Container Platform Reporter: Eric Rich <erich>
Component: DocumentationAssignee: Ashley Hardin <ahardin>
Status: CLOSED CURRENTRELEASE QA Contact: DeShuai Ma <dma>
Severity: high Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.4.0CC: ahardin, aos-bugs, bparees, chuyu, decarr, erich, fmontero, hgomes, jokerman, mmccomas, pdwyer
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1484134 Environment:
Last Closed: 2018-07-10 22:04:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1484134    
Bug Blocks:    

Description Eric Rich 2017-08-25 13:45:08 UTC 
+++ This bug was initially created as a clone of Bug #1484134 +++

Description of problem:
If the wrong secret is passed in a given buildconfig (secret is non existing in the project space), it will consume all of the resources set via quota and thus any other build, deployment, etc. will fail until the X build is deleted.

As a result this buildpod, is an invalid object, incrementing a counter that quota is tracking, which leads to quota exhaustion. 

This needs to be documented as a known issue / possible issue with object creation. 

Version-Release number of selected component (if applicable):
3.4 to 3.7(3.8)


--- Additional comment from Derek Carr on 2017-08-23 11:51:19 EDT ---

quota is incremented in admission prior to validation of the resource.  as a result, quota may be incremented even if the pod is not ultimately persisted.  this is a known limitation of the quota subsystem today in kubernetes that we will have to address in a future release.

we should probably doc this at minimum in the product documentation, and we would want an RFE in the future to address this.


--- Additional comment from Derek Carr on 2017-08-24 17:29:46 EDT ---

To provide context for this issue, the API server at a high level works as follows:

1. Receive request
2. Deserialize the object
3. Default the object
4. Convert the object to internal form
5. Admission controllers Admit the object
6. Validate the object
7. ...
8. Persist the Object

Quota validation happens as part of the admission controller chain, and before object validation.  As a result, invalid objects sent to the API server can cause temporary charges to quota until replenishment occurs.

Ideally, we could have validation happen before quota, which requires bucketing of admission controllers into defaulters and non-defaulters.  This bucketing is not yet possible.
Comment 2 Ashley Hardin 2018-07-06 18:38:14 UTC 
Work in progress: https://github.com/openshift/openshift-docs/pull/10700
Comment 3 DeShuai Ma 2018-07-09 02:04:31 UTC 
The change to doc LGTM, move to verified.
Comment 4 Ashley Hardin 2018-07-10 22:04:55 UTC 
Content is now published: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.9/html/cluster_administration/admin-guide-quota#quota-known-issues