Bug 1428934 – Reserve kube[-*] and openshift[-*] namespaces

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1428934 - Reserve kube[-*] and openshift[-*] namespaces

Summary:	Reserve kube[-] and openshift[-] namespaces

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Upgrade (Show other bugs)
Sub Component:
Version:	3.6.0
Hardware:	Unspecified Unspecified

Priority	unspecified Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Scott Dodson
QA Contact:	Anping Li
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-03-03 11:14 EST by David Eads
Modified:	2017-08-16 15 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-10 01:18:47 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:1716	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.6 RPM Release Advisory	2017-08-10 05:02:50 EDT

Groups: None (edit)

Description David Eads 2017-03-03 11:14:53 EST

Upstream is reserving kube-* namespaces (kube-system and kube-public are notably already used).  We should do the same with openshift[-*] namespaces.

We need to prevent an upgrade to make sure we don't bump to a level that gives power to a namespace a user previously requested as their own.  This allows us to further restrict the set of namespaces to those that have the "openshift.io/requester" annotation set.

There is an open pull to add a check (https://github.com/openshift/openshift-ansible/pull/3535), but that needs wiring to prevent upgrades until those namespaces are resolved.

Comment 1 Scott Dodson 2017-05-09 09:02:47 EDT

This is done.

Comment 3 Anping Li 2017-05-11 23:17:34 EDT

What is the expected result about this feature in upgrade?  1 or 2?

1. upgrade abort when there are project named kube-xxx or openshift-xxx
2. OCP 3.6 don't allow the project named kube-xxx or openshift-xxx


[root@openshift-214 ~]# oc new-project kube-test1
Error from server (Forbidden): project.project.openshift.io "kube-test1" is forbidden: cannot request a project starting with "kube-"
[root@openshift-214 ~]# oc new-project openshift-test1
Error from server (Forbidden): project.project.openshift.io "openshift-test1" is forbidden: cannot request a project starting with "openshift-"

Comment 4 Mo 2017-05-12 00:22:05 EDT

Both.

We do not let you upgrade from 3.5 to 3.6 with projects that violate this requirement.  The API server did not prevent their creation in 3.5.

In 3.6 the API server prevents their creation.

Comment 8 Anping Li 2017-05-14 21:25:24 EDT

In OCP 3.5. I create project via 'oc new-project kube-test' & 'oc new-project openshift-test'.

After upgrade to OCP-3.6. I got the following message. 
[root@openshift-214 ~]# oc new-project kube-test1
Error from server (Forbidden): project.project.openshift.io "kube-test1" is forbidden: cannot request a project starting with "kube-"
[root@openshift-214 ~]# oc new-project openshift-test1
Error from server (Forbidden): project.project.openshift.io "openshift-test1" is forbidden: cannot request a project starting with "openshift-"


I had expected the upgrade abort  as there are projects kube-test and openshift-test. But It didn't abort. 

Can you confirm the requirement in comment4 again?  Shall we abort the upgrade playbook if there are projects named like 'kube-xx' and 'openshift-xxx' when we upgrade from v3.5 to 3.6?

Comment 9 Scott Dodson 2017-05-15 09:14:43 EDT

We'd only included the validator in 3.5 playbook. I'll move it to ensure it's included on all upgrade playbooks.

Comment 11 Anping Li 2017-06-02 08:44:38 EDT

Openshift-ansible v3.6.92 works as expected. 

TASK [Check for invalid namespaces and SDN errors] *****************************
fatal: [openshift-214.lab.eng.nay.redhat.com]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "results": {
        "namespaces that use reserved names and were not created by infrastructure components": [
            {
                "apiVersion": "v1", 
                "kind": "Namespace", 
                "metadata": {
                    "annotations": {
                        "openshift.io/description": "", 
                        "openshift.io/display-name": "", 
                        "openshift.io/requester": "system:admin", 
                        "openshift.io/sa.scc.mcs": "s0:c9,c4", 
                        "openshift.io/sa.scc.supplemental-groups": "1000080000/10000", 
                        "openshift.io/sa.scc.uid-range": "1000080000/10000"
                    }, 
                    "creationTimestamp": "2017-06-02T10:25:55Z", 
                    "name": "kube-test", 
                    "namespace": "", 
                    "resourceVersion": "3344", 
                    "selfLink": "/api/v1/namespaceskube-test", 
                    "uid": "dc505d60-477d-11e7-802e-fa163e66ca8d"
                }, 
                "spec": {
                    "finalizers": [
                        "openshift.io/origin", 
                        "kubernetes"
                    ]
                }, 
                "status": {
                    "phase": "Active"
                }
            }, 
            {
                "apiVersion": "v1", 
                "kind": "Namespace", 
                "metadata": {
                    "annotations": {
                        "openshift.io/description": "", 
                        "openshift.io/display-name": "", 
                        "openshift.io/requester": "system:admin", 
                        "openshift.io/sa.scc.mcs": "s0:c8,c7", 
                        "openshift.io/sa.scc.supplemental-groups": "1000070000/10000", 
                        "openshift.io/sa.scc.uid-range": "1000070000/10000"
                    }, 
                    "creationTimestamp": "2017-06-02T10:25:48Z", 
                    "name": "openshift-test", 
                    "namespace": "", 
                    "resourceVersion": "3306", 
                    "selfLink": "/api/v1/namespacesopenshift-test", 
                    "uid": "d8923248-477d-11e7-802e-fa163e66ca8d"
                }, 
                "spec": {
                    "finalizers": [
                        "openshift.io/origin", 
                        "kubernetes"
                    ]
                }, 
                "status": {
                    "phase": "Active"
                }
            }
        ]
    }, 
    "state": "list"
}

MSG:

All objects are not valid.  If you are a supported customer please contact Red Hat Support providing the complete output above. If you are not a customer please contact users@lists.openshift.redhat.com for assistance.
	to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_6/upgrade.retry

PLAY RECAP *********************************************************************
localhost                  : ok=13   changed=0    unreachable=0    failed=0

Comment 13 errata-xmlrpc 2017-08-10 01:18:47 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716

Note You need to log in before you can comment on or make changes to this bug.