Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1493057 - HPA V2 cannot get services/unsafeproxy in the namespace "openshift-infra"
HPA V2 cannot get services/unsafeproxy in the namespace "openshift-infra"
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
3.7.0
All All
high Severity high
: ---
: 3.7.0
Assigned To: Mo
DeShuai Ma
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-19 05:26 EDT by Zhang Cheng
Modified: 2017-11-28 17:11 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-28 17:11:25 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-28 21:34:54 EST

  None (edit)
Comment 1 Seth Jennings 2017-09-19 10:29:41 EDT 
Solly, PTAL.  Seems to be a HPA service account permissions issue.
Comment 2 Solly Ross 2017-10-03 14:34:35 EDT 
yeah looks like someone changed the name of the proxy subresource, but didn't update the HPA RBAC rules...
Comment 3 Seth Jennings 2017-10-03 14:47:47 EDT 
Rebalancing bugs.  Andrew, PTAL.
Comment 4 Andrew McDermott 2017-10-05 15:44:27 EDT 
Debugging and investigating with Solly yields what might be the root cause:

  https://github.com/openshift/origin/issues/16710
Comment 5 Solly Ross 2017-10-05 16:09:20 EDT 
We also found this (unrelated) HPA issue (an update to the controller initialization borked RBAC for the HPA controller, again): https://github.com/openshift/origin/pull/16711
Comment 6 Andrew McDermott 2017-10-09 07:07:13 EDT 
An easy way to reproduce this is to issue:

 $ curl -k -H "Authorization: Bearer $(oc whoami -t)" \
     https://<<<HOSTNAME>>>:8443/api/v1/namespaces/openshift-infra/services/https:heapster:/proxy/apis/metrics/v1/alpha1/nodes
Comment 7 Mo 2017-10-10 20:52:12 EDT 
Fixed in https://github.com/openshift/origin/pull/16741
Comment 8 Andrew McDermott 2017-10-11 14:18:47 EDT 
I spent some time validating the tip of Origin @ 9f5c91e050 now that:

 - https://github.com/openshift/origin/pull/16741
 - https://github.com/openshift/origin/pull/16711

have been merged.

Given a deployment I was able to add the HPA and then edit metrics  for CPU Request and Limit to small values. Previously this wasn't possible (fixed by 16711). Given very small request and limit values I saw the pod scale out to 3.

Using curl, I now get: 

curl -H "Authorization: Bearer $(oc whoami -t)" \
  https://fedora-dev-vm-2:8443/api/v1/namespaces/openshift-infra/services/https:heapster:/proxy/apis/metrics/v1alpha1/nodes -k

User "test-admin" cannot get services/proxy in the namespace "openshift-infra".
Comment 9 DeShuai Ma 2017-10-23 22:28:45 EDT 
Tested the bug on the env openshift v3.7.0-0.158.0, now hpav2 can get the metrics correctly. verify the bug
Comment 13 errata-xmlrpc 2017-11-28 17:11:25 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.