Bug 1748501 - Admission plugins "unknown" during cluster configuration
Summary: Admission plugins "unknown" during cluster configuration
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.2.0
Assignee: Michal Fojtik
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-03 17:55 UTC by brad.williams
Modified: 2019-10-16 06:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-16 06:40:12 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 23722 0 'None' closed Bug 1748501: UPSTREAM: <carry>: fix openshift admission plugin registration 2020-11-17 08:57:47 UTC
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:40:22 UTC

Description brad.williams 2019-09-03 17:55:35 UTC
Description of problem:
Making an initial attempt at standing up a Starter integration cluster of OpenShift 4.2.  Upon applying our custom "KubeAPIServerConfig", the API Server has become degraded and the kube-apiserver pod is cycling with the following error:
Error: [enable-admission-plugins plugin "autoscaling.openshift.io/ClusterResourceOverride" is unknown, enable-admission-plugins plugin "autoscaling.openshift.io/RunOnceDuration" is unknown]


Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.2.0-0.nightly-2019-08-29-062233   True        False         4d2h    Error while reconciling 4.2.0-0.nightly-2019-08-29-062233: the cluster operator kube-apiserver is degraded


How reproducible:
Unknown.  This is the first attempt at applying our custom config to an OpenShift 4.2 cluster.


Steps to Reproduce:
1. Install an OpenShift 4.2 (nightly) build
2. Apply custom "KubeAPIServerConfig" that contains either, or both, of these admission plugins:
"autoscaling.openshift.io/ClusterResourceOverride"
"autoscaling.openshift.io/RunOnceDuration"
3. Observe that the kube-apiserver becomes degraded

Actual results:
The fist kube-apiserver pod attempts to apply the configuration and then begins cycling due to the "unknown" admission plugins.  This then cause the kube-apiserver to become degraded.

Expected results:
The custom configuration should apply and roll out successfully.

Additional info:

Comment 3 Michal Fojtik 2019-09-04 08:58:18 UTC
These two admission plugins are owned by the scheduler (workloads).

Comment 4 Michal Fojtik 2019-09-04 11:57:51 UTC
As it turned out, this was indeed problem in kube-apiserver (admission registration for openshift admission plugins was wrong).

Comment 6 Xingxing Xia 2019-09-10 00:53:41 UTC
Verified in 4.2.0-0.nightly-2019-09-08-180038.
Applying `oc edit kubeapiserver`:
  unsupportedConfigOverrides:
    admission:
      enabledPlugins:
      - autoscaling.openshift.io/ClusterResourceOverride
      - autoscaling.openshift.io/RunOnceDuration
      pluginConfig:
        autoscaling.openshift.io/ClusterResourceOverride:
          configuration:
            apiVersion: autoscaling.openshift.io/v1
            cpuRequestToLimitPercent: 2
            kind: ClusterResourceOverrideConfig
            limitCPUToMemoryPercent: 200
            memoryRequestToLimitPercent: 50
        autoscaling.openshift.io/RunOnceDuration:
          configuration:
            activeDeadlineSecondsLimit: 3600
            apiVersion: autoscaling.openshift.io/v1
            kind: RunOnceDurationConfig
    apiVersion: kubecontrolplane.config.openshift.io/v1
    kind: KubeAPIServerConfig

Pods re-run well and co is good:
oc get po -l apiserver -n openshift-kube-apiserver
NAME                                                        READY   STATUS    RESTARTS   AGE
kube-apiserver-ip-10-0-135-39.sa-east-1.compute.internal    3/3     Running   0          2m23s
kube-apiserver-ip-10-0-139-165.sa-east-1.compute.internal   3/3     Running   0          6m1s
kube-apiserver-ip-10-0-145-203.sa-east-1.compute.internal   3/3     Running   0          4m14s
oc get co kube-apiserver
NAME             VERSION                             AVAILABLE   PROGRESSING   DEGRADED   SINCE
kube-apiserver   4.2.0-0.nightly-2019-09-08-180038   True        False         False      23h

Comment 7 errata-xmlrpc 2019-10-16 06:40:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922


Note You need to log in before you can comment on or make changes to this bug.