Bug 1948232

Summary: DNS operator performs spurious updates in response to API's defaulting of daemonset's maxSurge and service's ipFamilies and ipFamilyPolicy fields
Product: OpenShift Container Platform Reporter: Miciah Dashiel Butler Masters <mmasters>
Component: NetworkingAssignee: Miciah Dashiel Butler Masters <mmasters>
Networking sub component: DNS QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aiyengar, aos-bugs
Version: 4.8   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:58:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Miciah Dashiel Butler Masters 2021-04-10 23:02:16 UTC
Description of problem:

When the DNS operator creates or updates the DNS daemonset and service, the API sets default values for the service's ipFamilies and ipFamilyPolicy fields and for the daemonset's maxSurge field, which the operator detects as external updates and attempts to revert.  The operator should not update the daemonset or service in response to API defaulting.

Version-Release number of selected component (if applicable):

Kubernetes 1.21 and OpenShift 4.8 add the maxSurge field for daemonsets and enable the "IPv6Dualstack" feature gate, which causes the API to set default values for the ipFamilies and ipFamilyPolicy fields.  

How reproducible:


Steps to Reproduce:

1. Launch a new cluster.

2. Check the DNS operator's logs:

    oc -n openshift-dns-operator logs deploy/dns-operator -c dns-operator

Actual results:

The DNS operator's logs have "updated dns daemonset" and "updated dns service" repeated over and over.  For example, in this CI run, I see "updated dns daemonset" and "updated dns service" each 118 times: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_cluster-dns-operator/262/pull-ci-openshift-cluster-dns-operator-master-e2e-aws-operator/1380942156755111936/artifacts/e2e-aws-operator/gather-extra/artifacts/pods/openshift-dns-operator_dns-operator-6c5bdf6f68-gwxm7_dns-operator.log

Expected results:

The DNS operator should ignore updates by the API that only set default values, and the operator should not log "updated dns daemonset" or "updated dns service" unless the objects are updated outside of API defaulting.  For example, in this CI run from the release-4.7 branch, I see "updated dns daemonset" 1 time and "updated dns service" 0 times: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_cluster-dns-operator/250/pull-ci-openshift-cluster-dns-operator-release-4.7-e2e-aws-operator/1380592335993180160/artifacts/e2e-aws-operator/gather-extra/artifacts/pods/openshift-dns-operator_dns-operator-559658f664-bzkds_dns-operator.log

Comment 2 Arvind iyengar 2021-05-03 10:02:11 UTC
Verified in "4.8.0-0.nightly-2021-04-30-201824". With this payload, it is noted that there are no more unwanted updated logs for the DNS daemonset or the service:
oc get clusterversion     
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-04-30-201824   True        False         34m     Cluster version is 4.8.0-0.nightly-2021-04-30-201824

oc -n openshift-dns-operator logs deployment.apps/dns-operator -c dns-operator | grep -i "updated dns daemonset" | wc -l
oc -n openshift-dns-operator logs deployment.apps/dns-operator -c dns-operator | grep -i "updated dns service" | wc -l

Comment 5 errata-xmlrpc 2021-07-27 22:58:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.