Red Hat Bugzilla – Bug 1306011
Deployer pods incorrectly using the host entry from openshiftLoopbackKubeconfig
Last modified: 2017-01-18 01:19:35 EST
Description of problem:
When a multi-master deployment has updated the context of the openshiftLoopbackKubeconfig to avoid traversing the load-balancer deployer pods attempt to contact the master using the updated hostname.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Block node -> master traffic on port 8443
2. Install a native HA install using openshift-ansible
3. Update /etc/origin/master/openshift-master.kubeconfig with a new cluster, context and updating the current-context for directly connecting to itself rather than the clustered hostname.
4. Initiate a deployment
deployer pod fails attempting to contact the master directly rather than through the load balancer, causing the request to fail/timeout.
The deployer pod should contact the master over the internal clustered hostname and the deployment should succeed.
I discussed this with deads2k and liggitt on #openshift-dev about this. The deployer pod should be using a serviceaccount and dns for config rather than the ENV variables injected from the openshiftLoopbackKubeconfig like it currently is.The deployment should be successful
I agree with David and Jordan's assessment. The cited deployer code predates the user of service accounts and was never updated when SAs were introduced.
Since this bug is OSE's bug, could you please provide the puddle or package version. thanks.
Still waiting for https://github.com/openshift/origin/pull/7197 to be incorporated into OSE. Once I have a tag containing the fix, I'll update the bz and clear the needinfo. Thanks!
Steps for updating the context:
> oc config view
Take note of the name value of the user listed under users, it will start with 'system:admin/'
> oc config set-cluster --certificate-authority=/etc/origin/master/ca.crt \
--embed-certs=true --server=https://<openshift_hostname>:<api port> \
> oc config set-context --cluster=my_loopback_cluster --namespace=default \
--user=<system admin name> my_loopback_context \
> oc config use-context my_loopback_context \
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.