Upstream is reserving kube-* namespaces (kube-system and kube-public are notably already used). We should do the same with openshift[-*] namespaces. We need to prevent an upgrade to make sure we don't bump to a level that gives power to a namespace a user previously requested as their own. This allows us to further restrict the set of namespaces to those that have the "openshift.io/requester" annotation set. There is an open pull to add a check (https://github.com/openshift/openshift-ansible/pull/3535), but that needs wiring to prevent upgrades until those namespaces are resolved.
This is done.
What is the expected result about this feature in upgrade? 1 or 2? 1. upgrade abort when there are project named kube-xxx or openshift-xxx 2. OCP 3.6 don't allow the project named kube-xxx or openshift-xxx [root@openshift-214 ~]# oc new-project kube-test1 Error from server (Forbidden): project.project.openshift.io "kube-test1" is forbidden: cannot request a project starting with "kube-" [root@openshift-214 ~]# oc new-project openshift-test1 Error from server (Forbidden): project.project.openshift.io "openshift-test1" is forbidden: cannot request a project starting with "openshift-"
Both. We do not let you upgrade from 3.5 to 3.6 with projects that violate this requirement. The API server did not prevent their creation in 3.5. In 3.6 the API server prevents their creation.
In OCP 3.5. I create project via 'oc new-project kube-test' & 'oc new-project openshift-test'. After upgrade to OCP-3.6. I got the following message. [root@openshift-214 ~]# oc new-project kube-test1 Error from server (Forbidden): project.project.openshift.io "kube-test1" is forbidden: cannot request a project starting with "kube-" [root@openshift-214 ~]# oc new-project openshift-test1 Error from server (Forbidden): project.project.openshift.io "openshift-test1" is forbidden: cannot request a project starting with "openshift-" I had expected the upgrade abort as there are projects kube-test and openshift-test. But It didn't abort. Can you confirm the requirement in comment4 again? Shall we abort the upgrade playbook if there are projects named like 'kube-xx' and 'openshift-xxx' when we upgrade from v3.5 to 3.6?
We'd only included the validator in 3.5 playbook. I'll move it to ensure it's included on all upgrade playbooks.
Openshift-ansible v3.6.92 works as expected. TASK [Check for invalid namespaces and SDN errors] ***************************** fatal: [openshift-214.lab.eng.nay.redhat.com]: FAILED! => { "changed": false, "failed": true, "results": { "namespaces that use reserved names and were not created by infrastructure components": [ { "apiVersion": "v1", "kind": "Namespace", "metadata": { "annotations": { "openshift.io/description": "", "openshift.io/display-name": "", "openshift.io/requester": "system:admin", "openshift.io/sa.scc.mcs": "s0:c9,c4", "openshift.io/sa.scc.supplemental-groups": "1000080000/10000", "openshift.io/sa.scc.uid-range": "1000080000/10000" }, "creationTimestamp": "2017-06-02T10:25:55Z", "name": "kube-test", "namespace": "", "resourceVersion": "3344", "selfLink": "/api/v1/namespaceskube-test", "uid": "dc505d60-477d-11e7-802e-fa163e66ca8d" }, "spec": { "finalizers": [ "openshift.io/origin", "kubernetes" ] }, "status": { "phase": "Active" } }, { "apiVersion": "v1", "kind": "Namespace", "metadata": { "annotations": { "openshift.io/description": "", "openshift.io/display-name": "", "openshift.io/requester": "system:admin", "openshift.io/sa.scc.mcs": "s0:c8,c7", "openshift.io/sa.scc.supplemental-groups": "1000070000/10000", "openshift.io/sa.scc.uid-range": "1000070000/10000" }, "creationTimestamp": "2017-06-02T10:25:48Z", "name": "openshift-test", "namespace": "", "resourceVersion": "3306", "selfLink": "/api/v1/namespacesopenshift-test", "uid": "d8923248-477d-11e7-802e-fa163e66ca8d" }, "spec": { "finalizers": [ "openshift.io/origin", "kubernetes" ] }, "status": { "phase": "Active" } } ] }, "state": "list" } MSG: All objects are not valid. If you are a supported customer please contact Red Hat Support providing the complete output above. If you are not a customer please contact users.redhat.com for assistance. to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_6/upgrade.retry PLAY RECAP ********************************************************************* localhost : ok=13 changed=0 unreachable=0 failed=0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716