Bug 1951853

Summary: dnses.operator.openshift.io resource's spec.nodePlacement.tolerations godoc incorrectly describes default behavior
Product: OpenShift Container Platform Reporter: Miciah Dashiel Butler Masters <mmasters>
Component: NetworkingAssignee: Miciah Dashiel Butler Masters <mmasters>
Networking sub component: DNS QA Contact: jechen <jechen>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: low CC: aos-bugs, hongli
Version: 4.8   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:02:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miciah Dashiel Butler Masters 2021-04-21 01:13:14 UTC
Description of problem:

The godoc for the dnses.operator.openshift.io resource's spec.nodePlacement.tolerations field incorrectly states that the default value is an empty list of tolerations.

In fact, by default, the operator sets a toleration for the "node-role.kubernetes.io/master" taint, and the daemon controller adds some tolerations as well.  This default value is desirable so that pods on master nodes have local DNS pods, and also so that the cluster has DNS pods even if worker nodes are all unavailable at once.


Version-Release number of selected component (if applicable):

4.8.0-0.ci-2021-04-20-220659


How reproducible:

100%


Steps to Reproduce:

1. oc explain dnses.spec.nodePlacement.tolerations --api-version=operator.openshift.io/v1


Actual results:

    DESCRIPTION:
         tolerations is a list of tolerations applied to DNS pods. The default is an
         empty list. This default is subject to change. See
         https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
    
         The pod this Toleration is attached to tolerates any taint that matches the
         triple <key,value,effect> using the matching operator <operator>.



Expected results:

The documentation should give the actual default that the operator sets, namely a toleration for the existence of the "node-role.kubernetes.io/master" taint.

In addition, the documentation should mention that the daemon controller injects some default tolerations.

Finally, the documentation should include a warning against changing this default.

Comment 2 Miciah Dashiel Butler Masters 2021-06-02 14:01:20 UTC
Still need to vendor the change in cluster-dns-operator.

Comment 4 jechen 2021-06-10 23:57:42 UTC
Verified in 4.8.0-0.nightly-2021-06-10-210437 

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-06-10-210437   True        False         91m     Cluster version is 4.8.0-0.nightly-2021-06-10-210437


$ oc explain dnses.spec.nodePlacement.tolerations --api-version=operator.openshift.io/v1
KIND:     DNS
VERSION:  operator.openshift.io/v1

RESOURCE: tolerations <[]Object>

DESCRIPTION:
     tolerations is a list of tolerations applied to DNS pods. If empty, the
     operator sets a toleration for the "node-role.kubernetes.io/master" taint.
     This default is subject to change. Specifying tolerations without including
     a toleration for the "node-role.kubernetes.io/master" taint may be risky as
     it could lead to an outage if all worker nodes become unavailable. Note
     that the daemon controller adds some tolerations as well. See
     https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

     The pod this Toleration is attached to tolerates any taint that matches the
     triple <key,value,effect> using the matching operator <operator>.

Comment 7 errata-xmlrpc 2021-07-27 23:02:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438