Bug 2142902

Summary: Disable Liveness container in csi pods
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Madhu Rajanna <mrajanna>
Component: rookAssignee: Madhu Rajanna <mrajanna>
Status: CLOSED ERRATA QA Contact: Daniel Osypenko <dosypenk>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.10CC: kbg, kramdoss, muagarwa, nberry, ocs-bugs, odf-bz-bot, rcyriac, sheggodu, tnielsen
Target Milestone: ---   
Target Release: ODF 4.10.10   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.10.10-1 Doc Type: Bug Fix
Doc Text:
Previously, services running without the TLS was problematic if security was the main concern for the customers. This was because a Liveness sidecar container deployed with the CSI pods to check if CSI dirver is responding appropriately or not, was running without TLS. With this fix, Liveness container in all Ceph CSI pods are disabled and as a result, no service is running in Ceph CSI pods without TLS, and one less container in Ceph CSI pods.
 Story Points: ---
Clone Of: 2142901 Environment:
Last Closed: 2023-02-20 15:40:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2142901    
Bug Blocks:    

Description Madhu Rajanna 2022-11-15 12:44:45 UTC 
+++ This bug was initially created as a clone of Bug #2142901 +++

Description of problem (please be detailed as possible and provide log
snippets):


liveness container in the cephfs provisioner and daemonset pods exposes HTTP ports to serve the metrics endpoints. We have two problems with it

1. The Metrics exposed on the HTTP port without TLS. This will be problematic for the customers as its a security problem
2. No one is consuming these metrics, and it was there only for the debugging purpose, and it was not helpful for the admins/users.

Version of all relevant components (if applicable):


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?

No

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


Can this issue reproducible?

Yes

Can this issue reproduce from the UI?

Deploy ODF

If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1. Deploy ODF
2. Check liveness container running on csi pods
3. On the node where daemonset pods are running the host port 9080 and 9081 are opened and used.


Expected results:

The liveness sidecar container should be disabled in all csi pods and cephcsi should not use 9080 and 9081 ports on the host.

Additional info:
Comment 6 Madhu Rajanna 2022-12-15 07:58:32 UTC 
https://github.com/red-hat-storage/rook/pull/429 is already backported to 4.10
Comment 12 Daniel Osypenko 2023-01-10 09:23:15 UTC 
verified that container 'liveness-prometheus' is not running on any csi pod

OC version:
Client Version: 4.12.0-202208031327
Kustomize Version: v4.5.4
Server Version: 4.11.0-0.nightly-2023-01-07-041900
Kubernetes Version: v1.24.6+5658434

OCS verison:
ocs-operator.v4.11.4              OpenShift Container Storage   4.11.4    ocs-operator.v4.11.3              Succeeded

Cluster version
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2023-01-07-041900   True        False         9h      Cluster version is 4.11.0-0.nightly-2023-01-07-041900

Rook version:
rook: v4.11.4-0.96e324244ec878d70194179a2892ec7193f6b591
go: go1.17.12

Ceph version:
ceph version 16.2.8-84.el8cp (c2980f2fd700e979d41b4bad2939bb90f0fe435c) pacific (stable)
Comment 20 errata-xmlrpc 2023-02-20 15:40:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenShift Data Foundation 4.10.10 Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0827