Bug 1868478

Summary: Cluster version operator does not manage shareProcessNamespace on pods and their consumers
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: Cluster Version OperatorAssignee: Vadim Rutkovsky <vrutkovs>
Status: CLOSED ERRATA QA Contact: Wenjing Zheng <wzheng>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.1.zCC: aos-bugs, jokerman, wking, wzheng
Target Milestone: ---   
Target Release: 4.5.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: CVO was not syncing shareProcessNamespace parameter in pod spec Consequence: registry operator didn't get shareProcessNamespace setting updated, so the watchdog was miconfigured Fix: CVO synced shareProcessNamespace, DNSPolicy and TerminationGracePeriodSeconds Result: registry operator got updated properly
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-08 10:54:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1866554    
Bug Blocks:    

Description OpenShift BugZilla Robot 2020-08-12 19:22:57 UTC 
+++ This bug was initially created as a clone of Bug #1866554 +++

The image-registry folks added shareProcessNamespace to a Deployment between 4.1 and 4.2:

$ git --no-pager log --oneline -G shareProcessNamespace origin/release-4.2..origin/master -- manifests
...no hits...
$ git --no-pager log --oneline -G shareProcessNamespace origin/release-4.1..origin/master -- manifests
cc9e9fe05 (origin/pr/364) Integrating watchdog as a sidecar to registry operator.
3803d25ff Revert "Integrating watchdog as a sidecar to registry operator."
ffbb403ef (origin/pr/342) Integrating watchdog as a sidecar to registry operator.

But the CVO does not reconcile that property today.  That means that whatever the value was when the manifest was created would be preserved regardless of the value in future manifests.  We should start reconciling this property and probably audit for other missing pod properties, and then port that fix back probably as far as we can excepting end-of-life versions.

Spun out from bug 1857782.
Comment 1 W. Trevor King 2020-08-21 22:25:57 UTC 
Waiting for bug 1866554 to be verified.
Comment 5 Wenjing Zheng 2020-08-31 14:04:19 UTC 
Verified with this upgrade path: 4.1.41->4.2.36->4.3.33->4.4.18->4.5.0-0.nightly-2020-08-29-080432
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.5.0-0.nightly-2020-08-29-080432   True        False         5m32s   Cluster version is 4.5.0-0.nightly-2020-08-29-080432
$ oc -n openshift-image-registry get -o jsonpath='{.spec.template.spec.shareProcessNamespace}{"\n"}' deployment cluster-image-registry-operator
true
Comment 7 errata-xmlrpc 2020-09-08 10:54:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.8 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3510