Description of problem: After configuring the quota for the route, the value for used quota for route will outnumber the hard quota if the object is created from the webconsole, so the quota limitation doesn't work on web-console It works in CLI as expected by limiting any additional resource to be created once the used value reaches the hard value Version-Release number of selected component (if applicable): # oc version oc v3.11.69 kubernetes v1.11.0+d4cacc0 features: Basic-Auth GSSAPI Kerberos SPNEGO openshift v3.11.69 Steps to Reproduce: 1.Create a quota for the object route with hard limit of 2. [root@master-0 ~]# oc create quota test --hard=count/routes.route.openshift.io=2 resourcequota/test created [root@master-0 ~]# oc describe quota Name: test Namespace: quota Resource Used Hard -------- ---- ---- count/routes.route.openshift.io 0 2 [root@master-0 ~]# ============================================================================================================================== 2. Deploy an httpd application from cli and create additional routes from the web-console. # oc new-app httpd # NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD httpd-ex httpd-ex-quota.apps.redhat.com httpd-ex 8080-tcp None httpd-ex1 httpd-ex1-quota.apps.redhat.com httpd-ex1 8080-tcp None httpd-ex2 httpd-ex2-quota.apps.redhat.com httpd-ex2 8080-tcp None =================================================================================================================================== 3. Check the resource quota [root@master-0 ~]# oc describe quota Name: test Namespace: quota Resource Used Hard -------- ---- ---- count/routes.route.openshift.io 3 2 [root@master-0 ~]# ================================================================================================================================== Actual results: Refer step 3 in Reproducer Expected results: Additional routes should be forbidden and the limitations on the quota should be respected from the web console. Additional info: Creating any additional route from the cli is restricted. [root@master-0 ~]# oc expose svc httpd3 Error from server (Forbidden): routes.route.openshift.io "httpd3" is forbidden: exceeded quota: test, requested: count/routes.route.openshift.io=1, used: count/routes.route.openshift.io=3, limited: count/routes.route.openshift.io=2
Can you confirm exactly how you created the route? Did you use the route editor or did you import YAML? I would add an additional entry to the quota for `routes` without the API group. If you are creating the route using YAML without specifying the API group, it would not check against the `routes.route.openshift.io` limit (to my knowledge). Note that quota is enforced by the API server and is not enforced by the web console. Changing component to master.
Hi, The routes were created using the navigation tabs from the console. Application-->Routes-->CreateRoute The YAML for the route was self-generated by OCP #######################################################################################3 --------------/YAML output of route created using console--------------> [root@master-0 ~]# oc get route httpd2 -o yaml apiVersion: route.openshift.io/v1 kind: Route metadata: creationTimestamp: 2019-02-18T11:35:29Z labels: app: httpd name: httpd2 namespace: quota resourceVersion: "278903" selfLink: /apis/route.openshift.io/v1/namespaces/quota/routes/httpd2 uid: 4ad60807-3371-11e9-baac-fa163ef0c742 spec: host: httpd2-quota.apps.**redhat.com port: targetPort: 8080-tcp to: kind: Service name: httpd1 weight: 100 wildcardPolicy: None status: ingress: null [root@master-0 ~]# ------------------------------------------------------------------> --------------/YAML output of route created using cli--------------> [root@master-0 ~]# oc get route httpd -o yaml apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: openshift.io/host.generated: "true" creationTimestamp: 2019-02-18T11:25:56Z labels: app: httpd name: httpd namespace: quota resourceVersion: "277450" selfLink: /apis/route.openshift.io/v1/namespaces/quota/routes/httpd uid: f5b4a68f-336f-11e9-8891-fa163ef0c742 spec: host: httpd-quota.apps.***redhat.com port: targetPort: 8080-tcp to: kind: Service name: httpd weight: 100 wildcardPolicy: None status: ingress: null -----------------------------------------------------------------------> #######################################################################################3 Additional info: --------------Yaml output of created quota------------> [root@master-0 ~]# oc get quota test -o yaml apiVersion: v1 kind: ResourceQuota metadata: creationTimestamp: 2019-02-18T11:14:44Z name: test namespace: quota resourceVersion: "279304" selfLink: /api/v1/namespaces/quota/resourcequotas/test uid: 64fac38d-336e-11e9-8891-fa163ef0c742 spec: hard: count/routes.route.openshift.io: "2" status: hard: count/routes.route.openshift.io: "2" used: count/routes.route.openshift.io: "4" [root@master-0 ~]# ----------------------------------------------------->
Can we have any updates on the Bugzilla. Do let me know if any additional information is required.
I reproduced in v3.11.113 env web console. In web console, press F12, in bottom window, click "Network" tab, then in web console click `Application-->Routes-->CreateRoute`, found POST request url uses non-group api: /oapi/v1/namespaces/xxia-proj/routes, while `oc expose svc httpd-ex --loglevel 6` uses group api "POST .../apis/route.openshift.io/v1/namespaces/xxia-proj2/routes. BTW, after web console CreateRoute created route, `oc describe quota` does not update "Used" value immediately. After a few mins, "Used" will be increased. While `oc expose svc ...` can immediately update "Used". In web console, if click Overview-->Add to Project-->Import YAML/JSON, input below group api YAML, the creation can be restricted. apiVersion: route.openshift.io/v1 kind: Route metadata: labels: app: httpd name: httpd-ex6 spec: port: targetPort: 8080-tcp to: kind: Service name: httpd Thus, either web console should fix CreateRoute page with group api request, or Master team fix it by enforcing quota both on group api and old non-group oapi
Have you tried the recommendation from comment #1? > I would add an additional entry to the quota for `routes` without the API group. If you are creating the route using YAML without specifying the API group, it would not check against the `routes.route.openshift.io` limit (to my knowledge). Note that the legacy API groups are removed in 4.x, so this won't be an issue in future versions. > (In reply to Xingxing Xia from comment #5) > Thus, either web console should fix CreateRoute page with group api request, > or Master team fix it by enforcing quota both on group api and old non-group > oapi This can't be addressed in the web console. The API server must enforce quota to prevent creating items from CLI or API directly.
*** Bug 1726198 has been marked as a duplicate of this bug. ***
As the bug (In reply to Samuel Padgett from comment #6) > Have you tried the recommendation from comment #1? > > > I would add an additional entry to the quota for `routes` without the API group. If you are creating the route using YAML without specifying the API group, it would not check against the `routes.route.openshift.io` limit (to my knowledge). > > Note that the legacy API groups are removed in 4.x, so this won't be an > issue in future versions. > > > (In reply to Xingxing Xia from comment #5) > > Thus, either web console should fix CreateRoute page with group api request, > > or Master team fix it by enforcing quota both on group api and old non-group > > oapi > > This can't be addressed in the web console. The API server must enforce > quota to prevent creating items from CLI or API directly. Can I request the respective team to take further action on the bug. One of my customers wants this bug to be fixed on OCP v3.11.
This bug hasn't had any engineering activity in the last ~30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale". If you have further information on the current state of the bug, please update it and remove the "LifecycleStale" keyword, otherwise this bug will be automatically closed in 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.
This bug hasn't had any activity 7 days after it was marked as LifecycleStale, so we are closing this bug as WONTFIX. If you consider this bug still valuable, please reopen it or create new bug.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days