Bug 2100033
Summary: | OCP 4.11 IPI - Some csr remain "Pending" post deployment | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | pdsilva |
Component: | Cloud Compute | Assignee: | Karthik K N <kabhat> |
Cloud Compute sub component: | Cloud Controller Manager | QA Contact: | pdsilva |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | high | ||
Priority: | unspecified | CC: | mkumatag |
Version: | 4.11 | ||
Target Milestone: | --- | ||
Target Release: | 4.11.0 | ||
Hardware: | ppc64le | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-08-10 11:19:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
pdsilva
2022-06-22 08:44:54 UTC
Serving certs not being approved likely means that the IPs Kubelet is reporting do not match the IPs that the Machine API Provider is reporting, I would suggest looking at the machine-approver logs to be certain Yeah, On debugging this I made following observatoins cluster-machine-approver logs I0621 06:49:29.065796 1 controller.go:121] Reconciling CSR: csr-zwsfb I0621 06:49:29.105553 1 csr_check.go:157] csr-zwsfb: CSR does not appear to be client csr E0621 06:49:29.110604 1 csr_check.go:420] csr-zwsfb: IP address '192.168.0.81' not in machine addresses: I0621 06:49:29.113715 1 controller.go:233] csr-zwsfb: CSR not authorized 1. Its a server csr request, for it to approve csr it has few conditions to meet(https://github.com/openshift/cluster-machine-approver#node-server-csr-approval-workflow) 2. One of this is to match machine internalIP with csr request IP 3. Currently machine does not have the InternalIP set karthikkn@Karthiks-MacBook-Pro .ssh % oc -n openshift-machine-api describe machine rdr-kn24-f9jtx-master-0 Status: Addresses: Address: rdr-kn24-f9jtx7mkm5-ks54l Type: InternalDNS 4. But CSR expects this karthikkn@Karthiks-MacBook-Pro karthik-openshift-workspace % oc describe csr csr-zwsfb Name: csr-zwsfb Labels: <none> Annotations: <none> CreationTimestamp: Mon, 20 Jun 2022 15:07:31 +0530 Requesting User: system:node:rdr-kn24-f9jtx7mkm5-ks54l Signer: kubernetes.io/kubelet-serving Status: Pending Subject: Common Name: system:node:rdr-kn24-f9jtx7mkm5-ks54l Serial Number: Organization: system:nodes Subject Alternative Names: DNS Names: rdr-kn24-f9jtx7mkm5-ks54l IP Addresses: 192.168.0.81 So will be making a necessary changes in machine-api-provider Power VS to add required fields Verified with OCP 4.11.0-rc.1 No Pending csr seen post deployment. # oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-rc.1 True False 6m2s Cluster version is 4.11.0-rc.1 # oc get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION csr-2ml94 37m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper <none> Approved,Issued csr-9lwd8 36m kubernetes.io/kubelet-serving system:node:rdr-ipi-jl12-pravin-s-psmq6-master-1 <none> Approved,Issued csr-9srxt 13m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper <none> Approved,Issued csr-crnmx 36m kubernetes.io/kubelet-serving system:node:rdr-ipi-jl12-pravin-s-psmq6-master-2 <none> Approved,Issued csr-dhq98 13m kubernetes.io/kubelet-serving system:node:rdr-ipi-jl12-pravin-s-psmq6-worker-9n9sk <none> Approved,Issued csr-dk5zd 37m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper <none> Approved,Issued csr-gfwdg 14m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper <none> Approved,Issued csr-nhp6p 13m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper <none> Approved,Issued csr-nzb7d 13m kubernetes.io/kubelet-serving system:node:rdr-ipi-jl12-pravin-s-psmq6-worker-dkkvk <none> Approved,Issued csr-sjwct 36m kubernetes.io/kubelet-serving system:node:rdr-ipi-jl12-pravin-s-psmq6-master-0 <none> Approved,Issued csr-w5jp7 14m kubernetes.io/kubelet-serving system:node:rdr-ipi-jl12-pravin-s-psmq6-worker-q75v6 <none> Approved,Issued csr-w899t 37m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper <none> Approved,Issued system:openshift:openshift-authenticator-2dhbp 34m kubernetes.io/kube-apiserver-client system:serviceaccount:openshift-authentication-operator:authentication-operator <none> Approved,Issued system:openshift:openshift-monitoring-7hnqf 33m kubernetes.io/kube-apiserver-client system:serviceaccount:openshift-monitoring:cluster-monitoring-operator <none> Approved,Issued Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069 |