The following pods run in the BestEffort QoS with no resource requests openshift-service-ca-operator/service-ca-operator openshift-service-ca/apiservice-cabundle-injector openshift-service-ca/configmap-cabundle-injector openshift-service-ca/service-serving-cert-signer https://github.com/openshift/origin/pull/22787 This can cause eviction, OOMKilling, and CPU starvation. Please add the following resource requests to the pods in this component: Memory: service-ca-operator 80Mi apiservice-cabundle-injector 50Mi configmap-cabundle-injector 50Mi service-serving-cert-signer 120Mi CPU: all 10m
https://github.com/openshift/service-ca-operator/pull/57
This is already merged in latest nightly build:
Verified on 4.1.0-0.nightly-2019-05-18-050636 $ oc get po -n openshift-service-ca-operator -o json | jq '.items[0].spec.containers[0].resources' { "requests": { "cpu": "10m", "memory": "80Mi" } } $ oc get po apiservice-cabundle-injector-776c457f7d-nrvjs -n openshift-service-ca -o json | jq '.spec.containers[0].resources' { "requests": { "cpu": "10m", "memory": "50Mi" } } $ oc get po configmap-cabundle-injector-5946598ff6-ffk2k -n openshift-service-ca -o json | jq '.spec.containers[0].resources' { "requests": { "cpu": "10m", "memory": "50Mi" } } $ oc get po service-serving-cert-signer-5c7f8cdbb6-wnwj6 -n openshift-service-ca -o json | jq '.spec.containers[0].resources' { "requests": { "cpu": "10m", "memory": "120Mi" } }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922
Follow-up OAuth work in bug 1905329.