Bug 1822286 - [sig-network] IngressClass [Feature:Ingress] should prevent Ingress creation if more than 1 IngressClass marked as default [Suite:openshift/conformance/parallel] [Suite:k8s]
Summary: [sig-network] IngressClass [Feature:Ingress] should prevent Ingress creation ...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.5.0
Assignee: Daneyon Hansen
QA Contact: Arvind iyengar
Depends On:
TreeView+ depends on / blocked
Reported: 2020-04-08 16:45 UTC by Dan Williams
Modified: 2022-08-04 22:27 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-07-13 17:26:16 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift origin pull 24927 0 None closed Bug 1822286: Serializes k8s IngressClass test 2020-07-28 10:30:22 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:26:47 UTC

Description Dan Williams 2020-04-08 16:45:25 UTC
PR is a test skip for ovn-kubernetes, which is not even used in this e2e-gcp job, so is unrelated to the failure.


Comment 1 Dan Mace 2020-04-16 18:18:27 UTC
Ran this test 500 times against a 4.5 cluster with no flaking. Another data point: the admission controller plugin that enforces the constraint verified in the test is compiled into the apiserver and I'm not sure it's configurable. Not clear yet under what conditions the plugin could somehow be disabled or misbehaving.

Comment 2 Dan Mace 2020-04-16 18:25:59 UTC
Upon closer inspection of the admission code[1], it does seem at least _possible_ that an informer cache consistency issue could result in the admission plugin skipping defaulting of the Ingress if the IngressClass resources were persisted and the list call didn't return them (or returned just one of them).

[1] https://github.com/openshift/origin/blob/master/vendor/k8s.io/kubernetes/plugin/pkg/admission/defaultingressclass/admission.go#L150

Comment 3 Dan Mace 2020-04-17 14:11:36 UTC
More digging is needed, but I'm suspicious of the design of that admission plugin. Stale cache data can cause it to make the wrong admission decision, and there's no controller which can correct for mistakes. It seems inherently racy with IngressClass persistence. Maybe the "only one default IngressClass" invariant itself needs enforced during admission so that this plugin doesn't need to make the racy check itself.

Comment 4 Daneyon Hansen 2020-04-28 20:08:42 UTC
Test [1] should be run [Serial] since it causes other ingresses that do not specify an ingressclass [2] to use the default ingressclass created by [1] when [3] runs in parallel.

[1] https://github.com/openshift/origin/blob/master/vendor/k8s.io/kubernetes/test/e2e/network/ingressclass.go#L69-L94
[2] https://github.com/openshift/origin/blob/master/test/extended/testdata/router/ingress.yaml
[3] https://github.com/openshift/origin/blob/master/test/extended/router/router.go#L70-L100

Comment 8 errata-xmlrpc 2020-07-13 17:26:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.