Bug 1683972 - No method provided to update admission in master config on ocp4.0
Summary: No method provided to update admission in master config on ocp4.0
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Master
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.1.0
Assignee: Michal Fojtik
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-28 08:32 UTC by Weinan Liu
Modified: 2019-06-04 10:44 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:44:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:44:49 UTC

Description Weinan Liu 2019-02-28 08:32:46 UTC
Description of problem:
No method provided to update admission in master config on ocp4.0
On ocp3.11 and earlier there are testing scenarios requires updating admissionConfig in /etc/origin/master/master-config.yaml, but the file does not exists on ocp4.0

How reproducible:
always

Steps to Reproduce:

Actual results:
Method provided to get admissionConfig updated

Expected results:
No method provided to get admissionConfig updated

Additional info:
unsupportedConfigOverrides may be the dev task tracking this.

Comment 1 Xingxing Xia 2019-03-01 02:15:31 UTC
(In reply to Weinan Liu from comment #0)
> Additional info:
> unsupportedConfigOverrides may be the dev task tracking this.
unsupportedConfigOverrides can work in current 4.0 for updating admission, see https://github.com/openshift/cluster-kube-apiserver-operator

Comment 2 Michal Fojtik 2019-03-05 09:35:45 UTC
Yes, for 4.0 the only method is to use unsupportedConfigOverrides.

Comment 4 David Eads 2019-03-06 15:12:37 UTC
It works and must match this type: https://github.com/openshift/api/blob/master/kubecontrolplane/v1/types.go#L14

Comment 7 Weinan Liu 2019-03-12 06:53:25 UTC
Hi Michal Fojtik, I tried both `AdmissionPluginConfig` and `admissionPluginConfig`. Neither one worked


oc edit kubeapiserver

adding...
...
  unsupportedConfigOverrides:
    AdmissionPluginConfig:
      alwaysPullImages:
        configuration:
          apiVersion: v1
          kind: DefaultAdmissionConfig

...


oc edit kubeapiserver

adding...
...
  unsupportedConfigOverrides:
    admissionPluginConfig:
      AlwaysPullImages:
        configuration:
          apiVersion: v1
          kind: DefaultAdmissionConfig

...

How I checked it was not working:

1)$ cat /tmp/pod2.yaml
apiVersion: v1
kind: Pod
metadata:
 name: foo2
spec:
 nodeName: ip-172-31-131-75.us-east-2.compute.internal
 containers:
  - name: foo2
    image: docker.io/deshuai/hello-openshift
    imagePullPolicy: IfNotPresent
2) kubectl create -f /tmp/pod2.yaml

3)$ oc get pod foo2 -o yaml|grep -i imagePullPolicy:
    imagePullPolicy: IfNotPresent


imagePullPolicy in step 3) was not overridden with AlwaysPullImages

Comment 8 Weinan Liu 2019-03-14 05:36:04 UTC
Hi Michal Fojtik,
could you advise?

Comment 9 Weinan Liu 2019-03-15 08:39:00 UTC
It's blocking us with the admission updating related test

Comment 12 Stefan Schimanski 2019-03-18 10:25:33 UTC
```
  unsupportedConfigOverrides:
    admissionPluginConfig:
      AlwaysPullImages:
        configuration:
          apiVersion: v1
          kind: DefaultAdmissionConfig
```

syntax is correct. But AlwaysPullImages has no config at all.

If the assumption has been, that giving a config will enable the plugin. This is not the case.

Instead something like the following should work:

```
  unsupportedConfigOverrides:
    admissionPluginConfig:
      enabledPlugins:
      - AlwaysPullImages
```

Comment 13 Stefan Schimanski 2019-03-18 10:31:55 UTC
Correction:

```
  unsupportedConfigOverrides:
    admission:
      enabledPlugins:
      - AlwaysPullImages
```

Comment 14 Stefan Schimanski 2019-03-18 11:05:26 UTC
I double checked the upper config set via `kubectl edit kubeapiserver`, then creating the pod from comment 7 and got `imagePullPolicy: Always` as expected.

Comment 17 errata-xmlrpc 2019-06-04 10:44:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.