Bug 1994461
| Summary: | drop-icmp pod fails with error: You must be logged in to the server (Unauthorized) | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | oarribas <oarribas> |
| Component: | Networking | Assignee: | mcambria <mcambria> |
| Networking sub component: | openshift-sdn | QA Contact: | zhaozhanqi <zzhao> |
| Status: | CLOSED WORKSFORME | Docs Contact: | |
| Severity: | unspecified | ||
| Priority: | unspecified | CC: | aconstan, gvanderp, oarribas |
| Version: | 4.6 | Keywords: | ServiceDeliveryImpact |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-12-17 13:55:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: After updating to an OCP release that includes the `drop-icmp` container in the `sdn` pod, one or several `drop-icmp` containers fails with `error: You must be logged in to the server (Unauthorized)`. The network clusteroperator is degraded. Version-Release number of selected component (if applicable): 4.6.37+ 4.7.18+ How reproducible: Always Steps to Reproduce: 1. Execute an `oc login` whithin a node, with a user that cannot get pods from the `openshift-sdn` namespace. 2. Restart the `sdn` pod in that node. 3. Check the `drop-icmp` container in that `sdn` pod. Actual results: The `drop-icmp` container fails when try to execute the `oc observe pods -n openshift-sdn -l app=sdn -a '{ .status.hostIP }' -- /var/run/add_iptables.sh`, as it's using the `/root/.kube/config` generated by the `oc login`, without permissions for the `oc observe` in the `openshift-sdn` namespace. Expected results: The `drop-icmp` container should not use the `/root/.kube/config` file to be able to start. Additional info: ~~~ $ oc get co network -o yaml [...] status: conditions: - lastTransitionTime: '2021-08-01T01:01:59Z' message: 'DaemonSet "openshift-sdn/sdn" rollout is not making progress - pod sdn-xxxxx is in CrashLoopBackOff State DaemonSet "openshift-sdn/sdn" rollout is not making progress - last change 2021-08-01T01:00:24Z' reason: RolloutHung status: 'True' type: Degraded [...] $ oc get pods -n openshift-sdn -o wide [...] sdn-xxxxx 2/3 Running 72 20m 172.0.0.1 node [...] $ oc logs -n openshift-sdn -c drop-icmp sdn-xxxxx [...] 2021-08-01T01:01:59.858068835Z + oc observe pods -n openshift-sdn -l app=sdn -a '{ .status.hostIP }' -- /var/run/add_iptables.sh 2021-08-01T01:01:59.975123335Z Flag --argument has been deprecated, and will be removed in a future release. Use --template instead. 2021-08-01T01:02:00.033301633Z error: You must be logged in to the server (Unauthorized) ~~~