1484563 – You should not be able to modify metadata.generation in a DC

Bug 1484563 - You should not be able to modify metadata.generation in a DC

Summary: You should not be able to modify metadata.generation in a DC

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Master
Sub Component:
Version:	3.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.3.1
Assignee:	Tomáš Nožička
QA Contact:	zhou ying
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-23 21:00 UTC by Eric Jones
Modified:	2020-09-10 11:18 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: User can modify metadata.generation which he shouldn't be able to modify. Consequence: It can break controllers. Fix: Forbid changing metadata.generation. Result: Any changes to metadata.generation are ignored.
Clone Of:
Environment:
Last Closed:	2017-11-28 22:07:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description Eric Jones 2017-08-23 21:00:35 UTC

Description of problem:
If the metadata.generation value is lower than the status.observedGeneration the DC is no longer modifiable. The master (or master-controllers) service will log an error that the DC cannot be updated because the "status.observedGeneration cannot be decremented". 

Version-Release number of selected component (if applicable):
OCP 3.3.1

How reproducible:
100%

Steps to Reproduce:
1. oc edit dc <test_app>
2. change the metadata.generation to a lower value (for example: 5->3) and save
3. oc scale dc <test_app> --replicas=<Different_number>

Actual results:
Pod scales up/down to match the specified replicas
BUT an error message about updating the DC will appear in the master (or master-controllers) service logs and if you check `oc get dc <test_app>` it will reference the old replica number

Expected results:
metadata.generation is not changed therefore the scale and everything adjusts properly.

Additional info:
OpenShift is unable to make additional modifications to an application's DC (including scaling) if the DC's .spec.observedGeneration is greater than the .metadata.generation value. Neither of these fields are things that the user should have any reason to modify but the .metadata.generation can be modified.

Comment 2 Solly Ross 2017-08-23 21:09:04 UTC

It seems like in general, if we never expect observedGeneration to go down, ValidateObjectMetaUpdate in Kubernetes should probably prevent `Generation` from going down as well.

I believe the error is specifically in regards to status updates -- spec-only updates seem to go through.  However, incorrect status causes issues with things which depend on status for information, such as the HPA, which consumes `status.replicas` via the scale subresource.

Comment 8 zhou ying 2017-08-31 09:32:08 UTC

Not merged with latest OCP v3.3.1.46.16

Comment 10 zhou ying 2017-11-10 01:59:56 UTC

Confirmed with OCP v3.3.1.46.31, now can't update the generation.
openshift v3.3.1.46.31
kubernetes v1.3.0+52492b4
etcd 2.3.0+git

Comment 13 errata-xmlrpc 2017-11-28 22:07:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.