Bug 1711075

Summary: Auth components running in BestEffort QoS
Product: OpenShift Container Platform Reporter: Seth Jennings <sjenning>
Component: apiserver-authAssignee: Stefan Schimanski <sttts>
Status: CLOSED ERRATA QA Contact: Wei Sun <wsun>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, wking, xtian
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-16 06:28:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Seth Jennings 2019-05-16 21:26:53 UTC 
The following pods run in the BestEffort QoS with no resource requests

openshift-service-ca-operator/service-ca-operator
openshift-service-ca/apiservice-cabundle-injector
openshift-service-ca/configmap-cabundle-injector
openshift-service-ca/service-serving-cert-signer

https://github.com/openshift/origin/pull/22787

This can cause eviction, OOMKilling, and CPU starvation.

Please add the following resource requests to the pods in this component:

Memory:
service-ca-operator 80Mi
apiservice-cabundle-injector 50Mi
configmap-cabundle-injector 50Mi
service-serving-cert-signer 120Mi

CPU:
all 10m
Comment 1 Erica von Buelow 2019-05-16 22:12:51 UTC 
https://github.com/openshift/service-ca-operator/pull/57
Comment 2 Xiaoli Tian 2019-05-20 02:06:34 UTC 
This is already merged in latest nightly build:
Comment 3 Chuan Yu 2019-05-20 03:12:04 UTC 
Verified on 4.1.0-0.nightly-2019-05-18-050636

$ oc get po -n openshift-service-ca-operator -o json | jq '.items[0].spec.containers[0].resources'
{
  "requests": {
    "cpu": "10m",
    "memory": "80Mi"
  }
}

$ oc get po apiservice-cabundle-injector-776c457f7d-nrvjs -n openshift-service-ca -o json | jq '.spec.containers[0].resources'
{
  "requests": {
    "cpu": "10m",
    "memory": "50Mi"
  }
}

$ oc get po configmap-cabundle-injector-5946598ff6-ffk2k -n openshift-service-ca -o json | jq '.spec.containers[0].resources'
{
  "requests": {
    "cpu": "10m",
    "memory": "50Mi"
  }
}

$ oc get po service-serving-cert-signer-5c7f8cdbb6-wnwj6 -n openshift-service-ca -o json | jq '.spec.containers[0].resources'
{
  "requests": {
    "cpu": "10m",
    "memory": "120Mi"
  }
}
Comment 6 errata-xmlrpc 2019-10-16 06:28:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922
Comment 7 W. Trevor King 2020-12-08 04:38:21 UTC 
Follow-up OAuth work in bug 1905329.