Bug 1739504 - kube-apiserver shouldn't allow upgrades when unsupported feature gate is set until CVO handles it natively
Summary: kube-apiserver shouldn't allow upgrades when unsupported feature gate is set ...
Keywords:
Status: CLOSED DUPLICATE of bug 1730401
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Abhinav Dahiya
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-09 13:30 UTC by Tomáš Nožička
Modified: 2019-08-26 16:12 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1730401
Environment:
Last Closed: 2019-08-26 16:12:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 548 0 None None None 2019-08-09 14:14:21 UTC

Description Tomáš Nožička 2019-08-09 13:30:42 UTC
+++ This bug was initially created as a clone of Bug #1730401 +++

Description of problem:

The CVO should block an upgrade of a cluster whose FeatureGate is configured for TechPreviewNoUpgrade when upgrading across minor versions.

Actual results:
The cluster upgrade is not blocked.

Expected results:
The cluster upgrade should be blocked across minor versions.

--- Additional comment from Clayton Coleman on 2019-07-30 13:34:53 UTC ---

This probably needs an API change (and a design) if we put it in the CVO, because we don't want the existing `force` flag to be used for this (that teaches users to run unsecured content).   We can have oc adm upgrade check Upgradeable and bypass if --bypass-tech-preview or similar.

--- Additional comment from W. Trevor King on 2019-08-01 23:57:52 UTC ---

> The cluster upgrade should be blocked across minor versions.

Only minor versions?  The docs [1] say "PREVENTS UPGRADES", which sounds like "no upgrades at all" which would include patch-level changes or anything else that required looking at a different release image.  But maybe we're confident enough in patch-level changes that we don't feel the need to block them?  Personally I don't see a problem forcing users to delete/recreate their cluster after they've set this, even for minor bumps.

> We can have oc adm upgrade check Upgradeable and bypass if --bypass-tech-preview or similar.

Is this something we want to allow people to bypass?  The docs also say this setting "CANNOT BE UNDONE".

[1]: https://github.com/openshift/api/blob/0922aa5a655be314e20a3e0e94f4f2b105100154/config/v1/types_feature.go#L31

Comment 1 Tomáš Nožička 2019-08-09 14:14:03 UTC
Bad clone. This is about setting Upgradable for kube-apiserver to false when unsupported feature gate is set until there is native support in CVO.

Comment 4 Abhinav Dahiya 2019-08-26 16:12:47 UTC

*** This bug has been marked as a duplicate of bug 1730401 ***


Note You need to log in before you can comment on or make changes to this bug.