Bug 1734663 - [4.1] Backport of upstream #78882: Fix incorrect procMount defaulting
Summary: [4.1] Backport of upstream #78882: Fix incorrect procMount defaulting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: 4.1.z
Assignee: Stefan Schimanski
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-31 07:28 UTC by Stefan Schimanski
Modified: 2019-08-28 19:55 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-28 19:54:49 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2547 None None None 2019-08-28 19:54:59 UTC
Github openshift origin pull 23517 None None None 2019-07-31 07:31:14 UTC

Description Stefan Schimanski 2019-07-31 07:28:19 UTC
What this PR does / why we need it:

Fixes incorrect forcing of the alpha procMount field to a non-nil value.

Without DaemonSet can/will suddenly all redeploy at the same time, leading to outages on upgrade: https://github.com/kubernetes/kubernetes/issues/78633

Upstream PR: https://github.com/kubernetes/kubernetes/pull/78882

Comment 1 Stefan Schimanski 2019-07-31 07:29:27 UTC
4.2 PR, to be tested by QA: https://github.com/openshift/origin/pull/23512

Comment 3 Xingxing Xia 2019-08-16 06:05:47 UTC
Verified by upgrading an env from payload 4.1.0-0.nightly-2019-08-13-020742 which does incorrect procMount defaulting, to payload 2 4.1.0-0.nightly-2019-08-13-091918 which includes the fix. Didn't see daemonset containers unexpectedly restart. More details:
Before upgrade, besides the cluster-component daemonsets, create a daemonset which would include non-nil podSpec.Containers.SecurityContext.ProcMount after creation:
oc create -f - -n xxia-proj << EOF
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: myds
spec:
  selector:
      matchLabels:
        name: myds
  template:
    metadata:
      labels:
        name: myds
    spec:
      containers:
      - image: openshift/hello-openshift
        name: hello-openshift
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
EOF

After creation, the daemonset looks like:
...
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          procMount: Default
...

Then do above upgrade.

Comment 6 errata-xmlrpc 2019-08-28 19:54:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2547


Note You need to log in before you can comment on or make changes to this bug.