Bug 1966410
Summary: | kube-controller-manager should not trigger APIRemovedInNextReleaseInUse alert | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Stefan Schimanski <sttts> |
Component: | kube-controller-manager | Assignee: | Maciej Szulik <maszulik> |
Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 4.8 | CC: | alegrand, anpicker, aos-bugs, erooth, hongyli, juzhao, kakkoyun, kewang, lcosic, mbukatov, mfojtik, pkrupa, surbania, xxia, yinzhou |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | 4.8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1947719 | Environment: | |
Last Closed: | 2021-07-27 23:10:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1947719 |
Description
Stefan Schimanski
2021-06-01 06:05:24 UTC
In QE CI env that runs many cases (created many projects for the cases), checked not only KCM, but also below kube-system:namespace-controller: $ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'` $ for i in $MASTERS; do oc debug no/$i -- chroot /host bash -c "grep -hE '"'"k8s.io/removed-release":"[^"]+"'"' /var/log/kube-apiserver/audit*.log" ; done > all.log $ grep '"k8s.io/removed-release":"1.22"' all.log > 1.22.log $ jq -r '.user.username+": "+.requestURI' 1.22.log | sed 's/=[0-9][^&]*/=***/g' | sort | uniq -c | sort -n > 1.22.removed.apis $ cat 1.22.removed.apis | grep -v kube-controller-manager 2 system:serviceaccount:kube-system:namespace-controller: /apis/extensions/v1beta1/namespaces/01ptm/ingresses 2 system:serviceaccount:kube-system:namespace-controller: /apis/extensions/v1beta1/namespaces/05mpl/ingresses 2 system:serviceaccount:kube-system:namespace-controller: /apis/extensions/v1beta1/namespaces/0hqei/ingresses 2 system:serviceaccount:kube-system:namespace-controller: /apis/extensions/v1beta1/namespaces/0t7dk/ingresses ...snipped, totally 352 lines... Checked the PR code and verified in 4.8.0-0.nightly-2021-06-14-145150: Positive testing: Checking env, comment 1 still exists, and kube-controller-manager still accesses ingresses.v1beta1.extensions. Given this, the Alerting page does not show APIRemovedInNextReleaseInUse alert in Firing or Pending state. This means the alert already excludes KCM. Negative testing: OAS_SA_TOKEN=`oc sa get-token openshift-apiserver-sa -n openshift-apiserver` oc login --token "$OAS_SA_TOKEN" for i in {1..100}; do oc get ingresses.v1beta1.extensions; done And checking metrics: sum by(system_client) (rate(apiserver_request_total{resource="ingresses",version="v1beta1"}[4h])) , there is one item with empty system_client. Given this, the Alerting page now shows APIRemovedInNextReleaseInUse alert in Firing or Pending state. This means the alert still works. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |