Bug 2009233
| Summary: | ACM policy object generated by PolicyGen conflicting with OLM Operator | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Juan Manuel Parrilla Madrid <jparrill> |
| Component: | Telco Edge | Assignee: | Ian Miller <imiller> |
| Telco Edge sub component: | ZTP | QA Contact: | yliu1 |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | unspecified | CC: | mcornea, tmulquee |
| Version: | 4.8 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: Generated policy has complianceType "mustonlyhave". OLM updates to metadata are then reverted as policy engine restored "desired" state of CR.
Consequence: OLM and the policy engine continuously overwrite the metadata of the CR under conflict. High CPU use results.
Fix: Change default complianceType to "musthave"
Result: OLM and policy engine no longer conflict. CPU use returns to baseline.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-10 16:14:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2025082 | ||
|
Description
Juan Manuel Parrilla Madrid
2021-09-30 08:35:30 UTC
Patching the ACM policy with "complianceType: musthave" is a temp workaround that you can apply, but if you modify the repo this will be overrided by the hooks. Hey folks, this is also happening with PVCs:
Error on the policy:
- eventName: vz-wc-lab-policies.vz-wc-lab-image-registry-policy.16ab6a5510dab516
lastTimestamp: "2021-10-07T05:40:23Z"
message: 'NonCompliant; violation - Error updating the object `registry-storage`,
the error is `Operation cannot be fulfilled on persistentvolumeclaims "registry-storage":
the object has been modified; please apply your changes to the latest version
and try again`; notification - configs [cluster] found as specified, therefore
this Object template is compliant'
- eventName: vz-wc-lab-policies.vz-wc-lab-image-registry-policy.16aba20db2e6167c
lastTimestamp: "2021-10-07T05:35:06Z"
message: "NonCompliant; violation - Error updating the object `registry-storage`,
the error is `PersistentVolumeClaim \"registry-storage\" is invalid: spec:
Forbidden: spec is immutable after creation except resources.requests for
bound claims\n core.PersistentVolumeClaimSpec{\n \tAccessModes: {\"ReadWriteOnce\"},\n
\ \tSelector: nil,\n \tResources: {Requests: {s\"storage\":
{i: {...}, s: \"100Gi\", Format: \"BinarySI\"}}},\n- \tVolumeName: \"\",\n+
\tVolumeName: \"local-pv-b908200e\",\n \tStorageClassName: nil,\n \tVolumeMode:
\ &\"Filesystem\",\n \tDataSource: nil,\n }\n`; notification
- configs [cluster] found as specified, therefore this Object template is
compliant"
- eventName: vz-wc-lab-policies.vz-wc-lab-image-registry-policy.16ab6a5510dab516
lastTimestamp: "2021-10-07T05:10:08Z"
message: 'NonCompliant; violation - Error updating the object `registry-storage`,
the error is `Operation cannot be fulfilled on persistentvolumeclaims "registry-storage":
the object has been modified; please apply your changes to the latest version
and try again`; notification - configs [cluster] found as specified, therefore
this Object template is compliant'
This is the object that the policy want to enforce:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
volume.beta.kubernetes.io/storage-class: fs-lso
creationTimestamp: "2021-10-06T10:04:09Z"
finalizers:
- kubernetes.io/pvc-protection
name: registry-storage
namespace: openshift-image-registry
resourceVersion: "1623757"
uid: 36578f14-2c57-4e46-b116-8aabedf759ed
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
volumeMode: Filesystem
volumeName: local-pv-b908200e
status:
accessModes:
- ReadWriteOnce
capacity:
storage: 100Gi
phase: Bound
This is the object that other operator want to apply:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
annotations:
pv.kubernetes.io/bind-completed: "yes"
volume.beta.kubernetes.io/storage-class: fs-lso
creationTimestamp: "2021-10-06T10:04:09Z"
finalizers:
- kubernetes.io/pvc-protection
name: registry-storage
namespace: openshift-image-registry
resourceVersion: "1623757"
uid: 36578f14-2c57-4e46-b116-8aabedf759ed
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
volumeMode: Filesystem
volumeName: local-pv-b908200e
status:
accessModes:
- ReadWriteOnce
capacity:
storage: 100Gi
phase: Bound
We currently don't have a formal test env to test ZTP for 4.10 nightly at the moment. Mark it as verified to unblock merge to 4.9, and will verify this change in 4.9. Reopening. Further testing showed there is still excess CPU use. Doc Text would be helpful in documenting this in the 4.10 release notes. Please supply. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |