Bug 1876791

Summary: Rebase CSI sidecars for 4.6
Product: OpenShift Container Platform Reporter: Jan Safranek <jsafrane>
Component: StorageAssignee: Jan Safranek <jsafrane>
Storage sub component: Kubernetes External Components QA Contact: Qin Ping <piqin>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: aos-bugs, cjanisze
Version: 4.6   
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:38:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Safranek 2020-09-08 07:53:21 UTC
Rebase these CSI sidecars to final upstream 1.19 versions:

- external-attacher: https://github.com/openshift/csi-external-attacher/pull/22
- external-provisioner: https://github.com/openshift/csi-external-provisioner/pull/31
- node-driver-registrar: https://github.com/openshift/csi-node-driver-registrar/pull/21
- external-resizer: https://github.com/openshift/csi-external-resizer/pull/112 
- external-snapshotter: waiting for upstream release, will be done in a separate BZ

Right now, we have various release candidates present in OCP 4.6, which may make their maintenance difficult.

Comment 1 Jan Safranek 2020-09-08 08:47:31 UTC
Created https://bugzilla.redhat.com/show_bug.cgi?id=1876810 to track the external-snapshotter.

Comment 2 Jan Safranek 2020-09-09 13:36:20 UTC
Rebase of the external-provisioner causes fsType of provisioned PVs to be empty. We need to fix AWS EBS CSI driver operator to restore the fsType: https://bugzilla.redhat.com/show_bug.cgi?id=1876791

Comment 3 Jan Safranek 2020-09-09 13:37:14 UTC
Correction: We need to fix AWS EBS CSI driver operator to restore the fsType: https://github.com/openshift/aws-ebs-csi-driver-operator/pull/89

Comment 6 Qin Ping 2020-09-11 05:23:44 UTC
Looks like PR: https://github.com/openshift/csi-external-provisioner/pull/31/files makes manila csi driver controllers does not work.

Can not provide PVC, get the following error from csi-provisioner container:
E0911 02:27:36.082246       1 reflector.go:127] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.VolumeAttachment: failed to list *v1.VolumeAttachment: volumeattachments.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-manila-csi-driver:manila-csi-driver-controller-sa" cannot list resource "volumeattachments" in API group "storage.k8s.io" at the cluster scope

$ oc get clusterrolebindings manila-controller-privileged-binding -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2020-09-11T01:11:56Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: csi-driver-manila-operator
    operation: Update
    time: "2020-09-11T01:11:56Z"
  name: manila-controller-privileged-binding
  resourceVersion: "7251"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/manila-controller-privileged-binding
  uid: fee81456-b416-4911-bdd4-00f7c6512d54
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manila-privileged-role
subjects:
- kind: ServiceAccount
  name: manila-csi-driver-controller-sa
  namespace: openshift-manila-csi-driver

$ oc get clusterrole manila-privileged-role -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2020-09-11T01:11:55Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: csi-driver-manila-operator
    operation: Update
    time: "2020-09-11T01:11:55Z"
  name: manila-privileged-role
  resourceVersion: "7238"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/manila-privileged-role
  uid: 341346b4-cb11-4ada-8e2c-016f02a6ad2e
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - privileged
  resources:
  - securitycontextconstraints
  verbs:
  - use

Comment 7 Jan Safranek 2020-09-11 12:32:17 UTC
Good catch with Manila RBAC bug! We don't have CI for Manila, so please re-test it manually. Similar issues should be caught by CI for AWS and most probably for oVirt too (it's quite unstable due to resource restrictions)

Comment 9 Qin Ping 2020-09-15 03:23:58 UTC
Verified with: 4.6.0-0.nightly-2020-09-12-164537

Comment 10 Martin André 2020-09-17 14:57:01 UTC
*** Bug 1879222 has been marked as a duplicate of this bug. ***

Comment 12 errata-xmlrpc 2020-10-27 16:38:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196