Bug 1884601
| Summary: | Drop kube-system role binding to extension-apiserver-authentication-reader (invalid to create role binding in kube-system by OLM) | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Jan Chaloupka <jchaloup> |
| Component: | kube-scheduler | Assignee: | Jan Chaloupka <jchaloup> |
| Status: | CLOSED ERRATA | QA Contact: | RamaKasturi <knarra> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.6 | CC: | aos-bugs, mfojtik |
| Target Milestone: | --- | ||
| Target Release: | 4.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 16:47:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified with csv below and i see that descheduler works fine. [knarra@knarra verification-tests]$ oc get csv -n openshift-kube-descheduler-operator NAME DISPLAY VERSION REPLACES PHASE clusterkubedescheduleroperator.4.6.0-202010061132.p0 Kube Descheduler Operator 4.6.0-202010061132.p0 Succeeded [knarra@knarra verification-tests]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.6.0-0.nightly-2020-10-08-043318 True False 3h5m Cluster version is 4.6.0-0.nightly-2020-10-08-043318 Below are the steps followed to verify the bug: =============================================== 1) Install latest descheduler operator 2) Add strategies like RemovePodswithTooManyRestarts and see that pods are evicted. 3) Add strategies removeDuplicates with exclude ownerkinds as ReplicaSet and see that pods does not get evicted which has the owner as ReplicaSet 4) changed excludeOwnerkinds to DeploymentConfig and i see that pods get evicted as the owner is Replicaset In addition to the above did not see any errors in the link below http://external-ci-coldstorage.datahub.redhat.com/cvp/cvp-redhat-operator-bundle-image-validation-test/ose-cluster-kube-descheduler-operator-metadata-container-v4.6.0.202010061132.p0-9/f6a485c2-fab2-4813-baf6-af5ca908b4ca/operator-metadata-linting-bundle-image-output.txt -> All validations completed successfuly. http://external-ci-coldstorage.datahub.redhat.com/cvp/cvp-redhat-operator-bundle-image-validation-test/ose-cluster-kube-descheduler-operator-metadata-container-v4.6.0.202010061132.p0-9/f6a485c2-fab2-4813-baf6-af5ca908b4ca/cvp-test-report.html -> shows success Based on the above moving the bug to verified state. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |
time="2020-09-29T22:22:56Z" level=error msg="Error: Value openshift-kube-descheduler-operator: error validating object: metadata.namespace: Forbidden: not allowed on this type. &{map[apiVersion:rbac.authorization.k8s.io/v1 kind:RoleBinding metadata:map[name:openshift-kube-descheduler-operator namespace:kube-system] roleRef:map[apiGroup:rbac.authorization.k8s.io kind:Role name:extension-apiserver-authentication-reader] subjects:[map[kind:ServiceAccount name:openshift-descheduler namespace:openshift-kube-descheduler-operator]]]}" Your rolebinding is invalid because it specifies the "kube-system" namespace. OLM cannot create your rolebinding there, it is going to create it in your operator's namespace. That's probably what was already happening in 4.5, and probably what you want, but with the new linting you need to actually define it properly.