Description of problem: When a multi-master deployment has updated the context of the openshiftLoopbackKubeconfig to avoid traversing the load-balancer deployer pods attempt to contact the master using the updated hostname. Version-Release number of selected component (if applicable): 3.1.1.6 How reproducible: Everytime Steps to Reproduce: 1. Block node -> master traffic on port 8443 2. Install a native HA install using openshift-ansible 3. Update /etc/origin/master/openshift-master.kubeconfig with a new cluster, context and updating the current-context for directly connecting to itself rather than the clustered hostname. 4. Initiate a deployment Actual results: deployer pod fails attempting to contact the master directly rather than through the load balancer, causing the request to fail/timeout. Expected results: The deployer pod should contact the master over the internal clustered hostname and the deployment should succeed. Additional info:
I discussed this with deads2k and liggitt on #openshift-dev about this. The deployer pod should be using a serviceaccount and dns for config rather than the ENV variables injected from the openshiftLoopbackKubeconfig like it currently is.The deployment should be successful
I agree with David and Jordan's assessment. The cited deployer code predates the user of service accounts and was never updated when SAs were introduced.
https://github.com/openshift/origin/pull/7197
Since this bug is OSE's bug, could you please provide the puddle or package version. thanks.
Still waiting for https://github.com/openshift/origin/pull/7197 to be incorporated into OSE. Once I have a tag containing the fix, I'll update the bz and clear the needinfo. Thanks!
Steps for updating the context: > oc config view Take note of the name value of the user listed under users, it will start with 'system:admin/' > oc config set-cluster --certificate-authority=/etc/origin/master/ca.crt \ --embed-certs=true --server=https://<openshift_hostname>:<api port> \ my_loopback_cluster --config=/etc/origin/master/openshift-master.kubeconfig > oc config set-context --cluster=my_loopback_cluster --namespace=default \ --user=<system admin name> my_loopback_context \ --config=/etc/origin/master/openshift-master.kubeconfig > oc config use-context my_loopback_context \ --config=/etc/origin/master/openshift-master.kubeconfig
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2016:1064