Bug 1977383
| Summary: | [release-4.7][service-ca] In k8s 1.21 bump BoundServiceAccountTokenVolume is disabled by default | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Maru Newby <mnewby> |
| Component: | service-ca | Assignee: | Maru Newby <mnewby> |
| Status: | CLOSED ERRATA | QA Contact: | liyao |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.7 | CC: | aos-bugs, dhellmann, fdeutsch, kewang, maszulik, mfojtik, mitr, mnewby, sttts, surbania, wking, wlewis, xxia |
| Target Milestone: | --- | ||
| Target Release: | 4.7.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1946479 | Environment: | |
| Last Closed: | 2021-07-26 17:35:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1946479 | ||
| Bug Blocks: | 1977179, 1977756 | ||
|
Comment 1
Maru Newby
2021-06-29 15:09:35 UTC
Moving this modified ahead of the followup test changes. I'll detach those from the bug and we'll merge them as a test only change without a bug. Tested in cluster 4.7.0-0.nightly-2021-07-07-214918
1. check configmap/openshift-service-ca.crt in every namespace, the test result is it's existed for each namespace
$ oc get configmap/openshift-service-ca.crt -n each_namespace
NAME DATA AGE
openshift-service-ca.crt 1 8m
2. check configmap/openshift-service-ca.crt is presented for new project
$ oc new-project mytest
$ oc get cm | grep openshift-service-ca.crt
openshift-service-ca.crt 1 57s
3. check pod creation during the upgrade process to 4.8.0-0.nightly-2021-07-04-112043
$ oc adm upgrade --to-image=registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2021-07-04-112043 --force=true --allow-explicit-upgrade=true
create pod 22 minutes later after upgrade start, test result shows pod is Running status and configMap "openshift-service-ca.crt" is presented
$ oc get pod postgresql-1-9jpqm -o json | jq .spec.volumes
[
{
"emptyDir": {},
"name": "data"
},
{
"name": "kube-api-access-grcr7",
"projected": {
"defaultMode": 420,
"sources": [
{
"serviceAccountToken": {
"expirationSeconds": 3607,
"path": "token"
}
},
{
"configMap": {
"items": [
{
"key": "ca.crt",
"path": "ca.crt"
}
],
"name": "kube-root-ca.crt"
}
},
{
"downwardAPI": {
"items": [
{
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.namespace"
},
"path": "namespace"
}
]
}
},
{
"configMap": {
"items": [
{
"key": "service-ca.crt",
"path": "service-ca.crt"
}
],
"name": "openshift-service-ca.crt"
}
}
]
}
}
]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.7.21 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2762 |