Bug 1820243 - [4.2] node-ca daemonset toleration conflicts with clusterlogging CR
Summary: [4.2] node-ca daemonset toleration conflicts with clusterlogging CR
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.2.z
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.2.z
Assignee: Oleg Bulatov
QA Contact: Wenjing Zheng
URL:
Whiteboard:
Depends On: 1820242
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-02 15:10 UTC by Oleg Bulatov
Modified: 2020-05-13 11:07 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: the nodeca daemon didn't tolerate the NoExecute taint, but ClusterLogging documentation recommends to use NoExecute Consequence: the nodeca daemon doesn't manage certificates on such nodes Fix: tolerate all taints Result: additionalTrustedCA are synced to all nodes with any taints
Clone Of: 1820242
Environment:
Last Closed: 2020-05-13 11:07:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-image-registry-operator pull 538 0 None closed [release-4.2] Bug 1820243: nodeca daemon should tolerate all taints 2020-05-06 02:29:11 UTC
Red Hat Product Errata RHBA-2020:2023 0 None None None 2020-05-13 11:07:40 UTC

Comment 3 XiuJuan Wang 2020-05-06 06:26:22 UTC
After add taints to nodes to only run Logging components, the node-ca pods don't be deleted. Verified on 4.2.0-0.nightly-2020-05-05-113123 cluster.

$oc adm taint nodes ip-10-0-159-150.us-east-2.compute.internal logging=true:NoExecute
node/ip-10-0-159-150.us-east-2.compute.internal tainted

$oc get node ip-10-0-159-150.us-east-2.compute.internal  -o yaml | grep taint -A 4
  taints:
  - effect: NoExecute
    key: logging
    value: "true"

$ oc get pods -o wide
NAME                                               READY   STATUS    RESTARTS   AGE    IP            NODE                                         NOMINATED NODE   READINESS GATES
cluster-image-registry-operator-79f9bc487b-blbmg   2/2     Running   0          115m   10.129.0.27   ip-10-0-172-137.us-east-2.compute.internal   <none>           <none>
image-registry-7b77849cf-dngp7                     1/1     Running   0          115m   10.131.0.6    ip-10-0-173-90.us-east-2.compute.internal    <none>           <none>
node-ca-6pmbq                                      1/1     Running   0          115m   10.129.0.30   ip-10-0-172-137.us-east-2.compute.internal   <none>           <none>
node-ca-dcdnp                                      1/1     Running   0          115m   10.130.0.21   ip-10-0-131-9.us-east-2.compute.internal     <none>           <none>
node-ca-llzw6                                      1/1     Running   0          115m   10.129.2.2    ip-10-0-159-150.us-east-2.compute.internal   <none>           <none>
node-ca-rq9xh                                      1/1     Running   0          115m   10.128.0.32   ip-10-0-159-249.us-east-2.compute.internal   <none>           <none>
node-ca-s2k7h                                      1/1     Running   0          115m   10.128.2.2    ip-10-0-129-102.us-east-2.compute.internal   <none>           <none>
node-ca-v2dd2                                      1/1     Running   0          115m   10.131.0.3    ip-10-0-173-90.us-east-2.compute.internal    <none>           <none>

Comment 5 errata-xmlrpc 2020-05-13 11:07:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2023


Note You need to log in before you can comment on or make changes to this bug.