Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1450366

Summary: The limited default resource is still created even if there is no corresponding quota cover it
Product: OpenShift Container Platform Reporter: Qixuan Wang <qixuan.wang>
Component: NodeAssignee: Derek Carr <decarr>
Status: CLOSED ERRATA QA Contact: Qixuan Wang <qixuan.wang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: aos-bugs, dma, jokerman, mmccomas, smunilla, wmeng
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-10 05:24:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Qixuan Wang 2017-05-12 10:34:39 UTC 
Description of problem:
Configure limited resources on master-config file, if there isn't a corresponding quota that covers resources usage, the resource is still created. I attempted many configuration ways and still not sure the admission plug-in was inserted correctly while master service didn't throw errors.


Version-Release number of selected component (if applicable):
openshift v3.6.71
kubernetes v1.6.1+5115d708d7
etcd 3.1.0


How reproducible:
Always

Steps to Reproduce:
1. Insert into master-config.yaml and restart master service.
# cat master-config.yaml
admissionConfig:
  pluginConfig:
    ResourceQuota:
      configuration:
        apiVersion: resourcequota.admission.k8s.io/v1alpha1
        kind: Configuration
        limitedResources:
        - resource: pods
          matchContains:
          - pods
          - requests.cpu
        - resource: persistentvolumeclaims
          matchContains:
        - .storageclass.storage.k8s.io/requests.storage
<------------------------------------------------------->

# service atomic-openshift-master restart
# service atomic-openshift-master status

2. Make sure there is no quota in the namespace or default limited resources (requests.cpu, requests.storage)are not specified in the quota in this namespace.

3. Create a dynamic PVC which has requests.storage in its spec
# cat pvc-storage-class.json
{
  "kind": "PersistentVolumeClaim",
  "apiVersion": "v1",
  "metadata": {
    "name": "pvc-storage-class",
    "labels": {
         "name": "pvc-storage-class"
     },
    "annotations": {
        "volume.beta.kubernetes.io/storage-class": "gold"
    }
  },
  "spec": {
    "accessModes": [
      "ReadWriteOnce"
    ],
    "resources": {
      "requests": {
        "storage": "2Gi"
      }
    }
  }
}

# oc create -f pvc-storage-class.json

4. Change annotations as "volume.beta.kubernetes.io/storage-class": "bronze" and create the pvc


Actual results:
3. The default limited resource is created. 
# oc create -f  pvc-storage-class.json -n qwang1
persistentvolumeclaim "pvc-storage-class" created

4. # oc create -f pvc-storage-class-bronze.json -n qwang1
persistentvolumeclaim "pvc-storage-class-bronze" created

Expected results:
3. The pvc creation request should be rejected as follows.  
# /data/src/kubernetes/_output/local/bin/linux/amd64/kubectl create -f pvc-storage-class.json -n default
Error from server: error when creating "pvc-storage-class.json": insufficient quota to consume: gold.storageclass.storage.k8s.io/requests.storage

4. # /data/src/kubernetes/_output/local/bin/linux/amd64/kubectl create -f pvc-storage-class-bronze.json -n default
Error from server: error when creating "1.json": insufficient quota to consume: bronze.storageclass.storage.k8s.io/requests.storage



Additional info:
Comment 3 Derek Carr 2017-05-22 19:30:46 UTC 
Origin PR:
https://github.com/openshift/origin/pull/14234
Comment 5 Qixuan Wang 2017-06-07 10:43:11 UTC 
Tested on OCP3.6(openshift v3.6.96, kubernetes v1.6.1+5115d708d7, etcd 3.1.0). 

The plug-in doesn't take effect. By comparison, changes in the k8s/xxx/BUILD files don't in ose.
Comment 6 Derek Carr 2017-06-07 14:04:22 UTC 
Tested, git commit: 6473593c449ab84cfdf57361e41eae5b78e766ee

edited master-config.yaml

admissionConfig:
  pluginConfig:
    ResourceQuota:
      configuration:
        apiVersion: resourcequota.admission.k8s.io/v1alpha1
        kind: Configuration
        limitedResources:
        - resource: persistentvolumeclaims
          matchContains:
          - .storageclass.storage.k8s.io/requests.storage
    openshift.io/ImagePolicy:


$ oc create -f ~/scripts/samples/kube/quota-by-storage-class/pvc/pvc-bronze.yaml 
Error from server: error when creating "/home/decarr/scripts/samples/kube/quota-by-storage-class/pvc/pvc-bronze.yaml": insufficient quota to consume: bronze.storageclass.storage.k8s.io/requests.storage
Comment 7 Qixuan Wang 2017-06-14 07:23:19 UTC 
Tested on OCP3.6(openshift v3.6.106, kubernetes v1.6.1+5115d708d7, etcd 3.2.0), The plug-in takes effect now. Could you please move it to ON_QA so I can verify it. Thanks.
Comment 9 errata-xmlrpc 2017-08-10 05:24:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716