Bug 1912888

Summary: recycler template should be moved to KCM operator
Product: OpenShift Container Platform Reporter: Fabio Bertinatto <fbertina>
Component: StorageAssignee: Fabio Bertinatto <fbertina>
Storage sub component: Storage QA Contact: Wei Duan <wduan>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: aos-bugs
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:49:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1913030    

Description Fabio Bertinatto 2021-01-05 14:11:53 UTC 
In order to resolve bug 1896226 and remove the templates from master nodes, the KCM operator needs to render the templates itself so that KCM can use them accordingly.
Comment 3 Wei Duan 2021-01-08 07:51:24 UTC 
Verified pass on 4.7.0-0.nightly-2021-01-07-181010
@Fabio, before changing the status, could you help confirm if I miss something? Also, I understand it will bring any side-impact for the upgrade.  

1. On master node:
sh-4.4# ls -l /etc/kubernetes/recycler-pod.yaml 
-rw-r--r--. 1 root root 699 Jan  8 03:16 /etc/kubernetes/recycler-pod.yaml

2. Check CM 
$ oc get cm recycler-config -n openshift-kube-controller-manager
NAME              DATA   AGE
recycler-config   1      4h49m

3. Check nfs recycler works
openshift-infra                                    recycler-for-pv-nfs                                       0/1     Pending     0          0s
openshift-infra                                    recycler-for-pv-nfs                                       0/1     Pending     0          0s
openshift-infra                                    recycler-for-pv-nfs                                       0/1     ContainerCreating   0          0s
openshift-infra                                    recycler-for-pv-nfs                                       0/1     ContainerCreating   0          2s
openshift-infra                                    recycler-for-pv-nfs                                       0/1     Completed           0          3s
openshift-infra                                    recycler-for-pv-nfs                                       0/1     Terminating         0          3s
openshift-infra                                    recycler-for-pv-nfs                                       0/1     Terminating         0          3s


[wduan@MINT ~]$ oc -n openshift-infra get pod recycler-for-pv-nfs -o yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2021-01-08T07:02:11Z"
spec:
  activeDeadlineSeconds: 300
  containers:
  - args:
    - -c
    - test -e /scrub && rm -rf /scrub/..?* /scrub/.[!.]* /scrub/*  && test -z "$(ls -A /scrub)" || exit 1
    command:
    - /bin/bash
    image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b622a9cc4513ff1e1e5b973d0870398a1a8d840e4f28a4e74cd0bf8a194fd447
    imagePullPolicy: IfNotPresent
    name: recycler-container
    resources: {}
    securityContext:
      runAsUser: 0
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /scrub
      name: vol
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: pv-recycler-controller-token-bn2sp
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  imagePullSecrets:
  - name: pv-recycler-controller-dockercfg-nkmvn
  nodeName: wduan-0108a-mwgzt-worker-0
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Never
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: pv-recycler-controller
  serviceAccountName: pv-recycler-controller
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: vol
    nfs:
      path: /
      server: 172.30.31.67
  - name: pv-recycler-controller-token-bn2sp
    secret:
      defaultMode: 420
      secretName: pv-recycler-controller-token-bn2sp
Comment 4 Fabio Bertinatto 2021-01-08 14:22:41 UTC 
@Wei I think your evaluation is correct, except for step 1: the recycler template should be projected in the /etc/kubernetes/static-pod-resources/configmaps/ directory in the KCM operator pod.
Comment 5 Fabio Bertinatto 2021-01-08 18:19:14 UTC 
@Wei, just to clarify, the template you found on the master node (/etc/kubernetes/recycler-pod.yaml) was placed there by machine-config-operator, and we plan to remove once the PR above is backported to 4.6.
Comment 6 Wei Duan 2021-01-11 06:45:25 UTC 
Thanks @Fabio, I changed status to VERIFIED.

$ oc rsh kube-controller-manager-ip-10-0-195-233.us-west-2.compute.internal
Defaulting container name to kube-controller-manager.
Use 'oc describe pod/kube-controller-manager-ip-10-0-195-233.us-west-2.compute.internal -n openshift-kube-controller-manager' to see all of the containers in this pod.

sh-4.4# ls /etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml 
/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml
Comment 9 errata-xmlrpc 2021-02-24 15:49:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633