Bug 1740052 - Federate a namespace failed for the invalid object name
Summary: Federate a namespace failed for the invalid object name
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Federation
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.2.0
Assignee: Aniket Bhat
QA Contact: Qin Ping
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-12 08:21 UTC by Qin Ping
Modified: 2019-11-15 03:15 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-16 06:35:36 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:35:46 UTC

Description Qin Ping 2019-08-12 08:21:06 UTC
Description of problem:
Federate a namespace failed.

Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.2.0-0.nightly-2019-08-10-002649   True        False         164m    Error while reconciling 4.2.0-0.nightly-2019-08-10-002649: the update could not be applied

kubefedctl version: version.Info{Version:"v4.2.0", GitCommit:"b8ae65cee603cc9c746911debd3dc23b922222d8", GitTreeState:"clean", BuildDate:"2019-08-08T18:18:54Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"linux/amd64"}

KubeFed controller-manager version: version.Info{Version:"v4.2.0", GitCommit:"b8ae65cee603cc9c746911debd3dc23b922222d8", GitTreeState:"clean", BuildDate:"2019-08-08T18:58:34Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"linux/amd64"}



How reproducible:
100%

Steps to Reproduce:
1. Installed a cluster scoped kubefedcontroller
2. Joined 2 clusters into the federation
3. Created a namespace
$ oc create ns test-namespace
4. Federated namespace
$ kubefedctl federate ns test-namespace -e -c --kubefed-namespace=federation-system

Actual results:
customresourcedefinition.apiextensions.k8s.io/federatednamespaces.types.kubefed.io created
federatedtypeconfig.core.kubefed.io/namespaces created in namespace federation-system
I0812 16:15:24.549821    6232 federate.go:459] Resource to federate is a namespace. Given namespace will itself be the container for the federated namespace
I0812 16:15:24.668155    6232 federate.go:488] Successfully created FederatedNamespace "test-namespace/test-namespace" from Namespace
I0812 16:15:24.771175    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/builder-dockercfg-nrrsn" from Secret
I0812 16:15:24.874326    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/builder-token-86qb7" from Secret
I0812 16:15:24.977652    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/builder-token-sg97j" from Secret
I0812 16:15:25.079669    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/default-dockercfg-sd597" from Secret
I0812 16:15:25.182751    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/default-token-9mrz5" from Secret
I0812 16:15:25.285432    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/default-token-q85b4" from Secret
I0812 16:15:25.387480    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/deployer-dockercfg-5cdrb" from Secret
I0812 16:15:25.490251    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/deployer-token-g7whc" from Secret
I0812 16:15:25.593049    6232 federate.go:488] Successfully created FederatedSecret "test-namespace/deployer-token-ndwts" from Secret
customresourcedefinition.apiextensions.k8s.io/federatedserviceaccounts.types.kubefed.io created
federatedtypeconfig.core.kubefed.io/serviceaccounts created in namespace federation-system
I0812 16:15:35.762676    6232 federate.go:488] Successfully created FederatedServiceAccount "test-namespace/builder" from ServiceAccount
I0812 16:15:35.861546    6232 federate.go:488] Successfully created FederatedServiceAccount "test-namespace/default" from ServiceAccount
I0812 16:15:35.961164    6232 federate.go:488] Successfully created FederatedServiceAccount "test-namespace/deployer" from ServiceAccount
customresourcedefinition.apiextensions.k8s.io/federatedrolebindings.types.kubefed.io created
federatedtypeconfig.core.kubefed.io/rolebindings.authorization.openshift.io created in namespace federation-system
F0812 16:15:45.724853    6232 federate.go:150] Error: Error creating federated resource "test-namespace/system:deployers": FederatedRoleBinding.types.kubefed.io "system:deployers" is invalid: metadata.name: Invalid value: "system:deployers": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')


Expected results:
Maybe the SAs, Secrets created when creating namespace should not be federated.

Additional info:

Comment 1 Qin Ping 2019-08-12 09:05:26 UTC
Although can use the  --skip-api-resources "roles,rolebindings,sa,secret" to avoid this issue, thought the user maybe not know the resources created when creating namespace or project, so still open this bug.

Comment 2 Aniket Bhat 2019-08-15 18:38:59 UTC
The general approach would be to identify system created resources in a reliable way and skip federating them.

Comment 3 Aniket Bhat 2019-08-23 17:30:40 UTC
Ping,

This should be fixed in the latest downstream images.

Comment 5 Qin Ping 2019-08-28 08:01:00 UTC
Failed verificaiton with:
kubefedctl version: version.Info{Version:"v4.2.0", GitCommit:"7f002471b9dd8366e1e0f080b46bc79864682f71", GitTreeState:"clean", BuildDate:"2019-08-25T17:43:59Z", GoVersion:"go1.12.8", Compiler:"gc", Platform:"linux/amd64"}
KubeFed controller-manager version: version.Info{Version:"v4.2.0", GitCommit:"7f002471b9dd8366e1e0f080b46bc79864682f71", GitTreeState:"clean", BuildDate:"2019-08-25T20:09:07Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"linux/amd64"}


Still have the same issue.
F0828 11:28:16.301763   30785 federate.go:150] Error: Error creating federated resource "test-namespace/system:deployers": FederatedRoleBinding.types.kubefed.io "system:deployers" is invalid: metadata.name: Invalid value: "system:deployers": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

Comment 14 errata-xmlrpc 2019-10-16 06:35:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922


Note You need to log in before you can comment on or make changes to this bug.