Bug 1948551

Summary: apiserver-watcher should run in a privileged namespace
Product: OpenShift Container Platform Reporter: Stefan Schimanski <sttts>
Component: Machine Config OperatorAssignee: Luis Sanchez <sanchezl>
Machine Config Operator sub component: Machine Config Operator QA Contact: Deepak Punia <dpunia>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aojeagar, aos-bugs, dpunia, kgarriso, mfojtik, mkrejci, rioliu, sanchezl, skumari, surbania, wking, xxia
Version: 4.9   
Target Milestone: ---   
Target Release: 4.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-29 06:46:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2078945, 2079097    
Bug Blocks:    

Description Stefan Schimanski 2021-04-12 12:25:42 UTC 
Description of problem:

Aapiserver-watcher is run in kube-system. This makes it hard to know to which component it belongs:

"kube-system/apiserver-watcher-ci-ln-zf7lprk-f76d1-k9v4x-master-0"
"kube-system/apiserver-watcher-ci-ln-zf7lprk-f76d1-k9v4x-master-1"
"kube-system/apiserver-watcher-ci-ln-zf7lprk-f76d1-k9v4x-master-2"

Version-Release number of selected component (if applicable):

4.8

How reproducible:

always

Steps to Reproduce:

install a cluster and checks pods in kube-system namespace

Actual results:


Expected results:

pod in openshift-machine-config-operator
Comment 1 Yu Qi Zhang 2021-04-13 03:13:52 UTC 
Reassigning to Casey to see if that's intended, as he implemented the original watcher
Comment 2 Casey Callendrello 2021-04-20 13:48:59 UTC 
The problem is how to roll the change out: MCD can't delete files.

So, we need to drop a dummy / noop file in the existing static pod so that it "goes away". Then we can stop rendering the file after a few releases.
Comment 3 Casey Callendrello 2021-07-12 11:33:16 UTC 
My initial analysis was incorrect; but we do need to stage this rollout. Specifically, 4.9 needs to support a lockfile, because static pod upgrades are not "atomic".

So, filed https://github.com/openshift/machine-config-operator/pull/2674 to add locking to 4.9. Then, in 4.10, we can finally re-namespace this pod.
Comment 9 Sinny Kumari 2022-06-24 09:39:10 UTC 
All the associated PRs has been merged. Should this bug be moved to ON_QA?
Comment 13 errata-xmlrpc 2022-08-29 06:46:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.11.2 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6143