Bug 1977129

Summary: openshift-installer: remove runlevel from openshift-kubevirt-infra namespace
Product: OpenShift Container Platform Reporter: Mark Cooper <mcooper>
Component: InstallerAssignee: Aditya Narayanaswamy <anarayan>
Installer sub component: openshift-installer QA Contact: Jianli Wei <jiwei>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: low CC: anarayan
Version: 4.9   
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:36:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark Cooper 2021-06-29 02:51:03 UTC 
Version: release-4.9

$ openshift-install version
bin/openshift-install unreleased-master-4672-g2a0d2f4c36f5cebc2d516f6d834c294d6a593a7f-dirty
built from commit 2a0d2f4c36f5cebc2d516f6d834c294d6a593a7f
release image registry.ci.openshift.org/origin/release:4.8

Platform: kubevirt IPI

What happened?

`openshift-installer` sets the label `run-level: "1"` on the namespace `openshift-kubevirt-infra` [1]. 

[1] https://github.com/openshift/installer/blob/7c4226b0867a62d98956865f287959f91bb92707/data/data/manifests/bootkube/openshift-kubevirt-infra-namespace.yaml#L8

What did you expect to happen?

This label is no longer required. Using the runlevel means that any pod specified in the ns will bypass SCC controls. It may have been required <4.6 due to the significant start times of components wait for the openshift-apiserver. But since 4.6 this delay has been all but removed.

Also supporting this is the other relevant on-prem component namespaces: 
 - https://github.com/openshift/machine-config-operator/pull/2627
 - https://bugzilla.redhat.com/show_bug.cgi?id=1805488
Comment 3 Jianli Wei 2021-08-04 06:23:07 UTC 
>Recreated the issue using 4.9.0-0.nightly-2021-07-30-014522 and then verified the issue using 4.9.0-0.nightly-2021-08-04-025616. Mark as verified, thanks! 

[fedora@preserve-jiwei ~]$ mkdir work
[fedora@preserve-jiwei ~]$ curl https://openshift-release-artifacts.apps.ci.l2s4.p1.openshiftapps.com/4.9.0-0.nightly-2021-07-30-014522/openshift-install-linux-4.9.0-0.night
ly-2021-07-30-014522.tar.gz -o openshift-install-linux-4.9.0-0.nightly-2021-07-30-014522.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 99.4M  100 99.4M    0     0   152M      0 --:--:-- --:--:-- --:--:--  152M
[fedora@preserve-jiwei ~]$ tar zxvf openshift-install-linux-4.9.0-0.nightly-2021-07-30-014522.tar.gz
README.md
openshift-install
[fedora@preserve-jiwei ~]$ openshift-install version
>openshift-install 4.9.0-0.nightly-2021-07-30-014522
built from commit 8d54dd48ffefd14a77b2233d265be0ab1aa037e9
release image registry.ci.openshift.org/ocp/release@sha256:7588bf948aebfb1baa77a4a0a51041dd2c307b89567fc8ce71367a74143d9d02
[fedora@preserve-jiwei ~]$ openshift-install create install-config --dir=work
? SSH Public Key /home/fedora/.ssh/id_rsa.pub
? Platform gcp
INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json"
? Project ID OpenShift QE (openshift-qe)
? Region us-west1
? Base Domain qe.gcp.devcluster.openshift.com
? Cluster Name jiwei-cluster13
? Pull Secret [? for help] ***************************************************************************************************************************************************INFO Install-Config created in: work              *******************************************************************
[fedora@preserve-jiwei ~]$ openshift-install create manifests --dir=work
INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json"
INFO Consuming Install Config from target directory
INFO Manifests created in: work/manifests and work/openshift
[fedora@preserve-jiwei ~]$ ls work/manifests/ -l
total 76
-rw-r-----. 1 fedora fedora  169 Aug  4 06:06 04-openshift-machine-config-operator.yaml
-rw-r-----. 1 fedora fedora  175 Aug  4 06:06 cloud-controller-uid-config.yml
-rw-r-----. 1 fedora fedora  518 Aug  4 06:06 cloud-provider-config.yaml
-rw-r-----. 1 fedora fedora  971 Aug  4 06:06 cluster-config.yaml
-rw-r-----. 1 fedora fedora  259 Aug  4 06:06 cluster-dns-02-config.yml
-rw-r-----. 1 fedora fedora  651 Aug  4 06:06 cluster-infrastructure-02-config.yml
-rw-r-----. 1 fedora fedora  181 Aug  4 06:06 cluster-ingress-02-config.yml
-rw-r-----. 1 fedora fedora 7923 Aug  4 06:06 cluster-network-01-crd.yml
-rw-r-----. 1 fedora fedora  272 Aug  4 06:06 cluster-network-02-config.yml
-rw-r-----. 1 fedora fedora  142 Aug  4 06:06 cluster-proxy-01-config.yaml
-rw-r-----. 1 fedora fedora  171 Aug  4 06:06 cluster-scheduler-02-config.yml
-rw-r-----. 1 fedora fedora  199 Aug  4 06:06 cvo-overrides.yaml
-rw-r-----. 1 fedora fedora  118 Aug  4 06:06 kube-cloud-config.yaml
-rw-r-----. 1 fedora fedora 1304 Aug  4 06:06 kube-system-configmap-root-ca.yaml
-rw-r-----. 1 fedora fedora 4086 Aug  4 06:06 machine-config-server-tls-secret.yaml
-rw-r-----. 1 fedora fedora 4197 Aug  4 06:06 openshift-config-secret-pull-secret.yaml
-rw-r-----. 1 fedora fedora  201 Aug  4 06:06 openshift-kubevirt-infra-namespace.yaml
>[fedora@preserve-jiwei ~]$ cat work/manifests/openshift-kubevirt-infra-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: openshift-kubevirt-infra
  annotations:
    openshift.io/node-selector: ""
  labels:
>    name: openshift-kubevirt-infra
>    openshift.io/run-level: "1"
[fedora@preserve-jiwei ~]$ 
[fedora@preserve-jiwei ~]$ rm -f openshift-install-linux-4.9.0-0.nightly-2021-07-30-014522.tar.gz openshift-install
[fedora@preserve-jiwei ~]$ mkdir work
[fedora@preserve-jiwei ~]$ curl https://openshift-release-artifacts.apps.ci.l2s4.p1.openshiftapps.com/4.9.0-0.nightly-2021-08-04-025616/openshift-install-linux-4.9.0-0.nightly-2021-08-04-025616.tar.gz -o openshift-install-linux-4.9.0-0.nightly-2021-08-04-025616.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 99.4M  100 99.4M    0     0   139M      0 --:--:-- --:--:-- --:--:--  139M
[fedora@preserve-jiwei ~]$ tar zxvf openshift-install-linux-4.9.0-0.nightly-2021-08-04-025616.tar.gz
README.md
openshift-install
[fedora@preserve-jiwei ~]$ openshift-install version
>openshift-install 4.9.0-0.nightly-2021-08-04-025616
built from commit 4f3d8ba657cb9447f065a4e48b078be6376593e1
release image registry.ci.openshift.org/ocp/release@sha256:5583c60aae499629853d0f0a8be86a407cefb9689a6d0621192eebfba02448e6
[fedora@preserve-jiwei ~]$ openshift-install create install-config --dir=work
? SSH Public Key /home/fedora/.ssh/id_rsa.pub
? Platform gcp
INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json" 
? Project ID OpenShift QE (openshift-qe)
? Region us-west1
? Base Domain qe.gcp.devcluster.openshift.com
? Cluster Name jiwei-cluster13
? Pull Secret [? for help] ***************************************************************************************************************************************************INFO Install-Config created in: work              *******************************************************************
[fedora@preserve-jiwei ~]$ openshift-install create manifests --dir=work
INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json" 
INFO Consuming Install Config from target directory 
INFO Manifests created in: work/manifests and work/openshift 
[fedora@preserve-jiwei ~]$ ls work/manifests/ -l
total 76
-rw-r-----. 1 fedora fedora  169 Aug  4 06:17 04-openshift-machine-config-operator.yaml
-rw-r-----. 1 fedora fedora  175 Aug  4 06:17 cloud-controller-uid-config.yml
-rw-r-----. 1 fedora fedora  518 Aug  4 06:17 cloud-provider-config.yaml
-rw-r-----. 1 fedora fedora  971 Aug  4 06:17 cluster-config.yaml
-rw-r-----. 1 fedora fedora  259 Aug  4 06:17 cluster-dns-02-config.yml
-rw-r-----. 1 fedora fedora  651 Aug  4 06:17 cluster-infrastructure-02-config.yml
-rw-r-----. 1 fedora fedora  181 Aug  4 06:17 cluster-ingress-02-config.yml
-rw-r-----. 1 fedora fedora 7923 Aug  4 06:17 cluster-network-01-crd.yml
-rw-r-----. 1 fedora fedora  272 Aug  4 06:17 cluster-network-02-config.yml
-rw-r-----. 1 fedora fedora  142 Aug  4 06:17 cluster-proxy-01-config.yaml
-rw-r-----. 1 fedora fedora  171 Aug  4 06:17 cluster-scheduler-02-config.yml
-rw-r-----. 1 fedora fedora  199 Aug  4 06:17 cvo-overrides.yaml
-rw-r-----. 1 fedora fedora  118 Aug  4 06:17 kube-cloud-config.yaml
-rw-r-----. 1 fedora fedora 1304 Aug  4 06:17 kube-system-configmap-root-ca.yaml
-rw-r-----. 1 fedora fedora 4086 Aug  4 06:17 machine-config-server-tls-secret.yaml
-rw-r-----. 1 fedora fedora 4197 Aug  4 06:17 openshift-config-secret-pull-secret.yaml
-rw-r-----. 1 fedora fedora  169 Aug  4 06:17 openshift-kubevirt-infra-namespace.yaml
>[fedora@preserve-jiwei ~]$ cat work/manifests/openshift-kubevirt-infra-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: openshift-kubevirt-infra
  annotations:
    openshift.io/node-selector: ""
  labels:
>    name: openshift-kubevirt-infra
[fedora@preserve-jiwei ~]$
Comment 6 errata-xmlrpc 2021-10-18 17:36:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759