Bug 1825034 - e2e: Mock CSI tests fail on IBM ROKS clusters
Summary: e2e: Mock CSI tests fail on IBM ROKS clusters
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: ibm-roks-toolkit
Version: 4.5
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.10.0
Assignee: Cesar Wong
QA Contact: Cesar Wong
URL:
Whiteboard:
Depends On: 2047911
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-16 21:30 UTC by Cesar Wong
Modified: 2022-03-12 04:34 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2047911 (view as bug list)
Environment:
Last Closed: 2022-03-12 04:34:40 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 26814 0 None Merged [release-4.10] Bug 1825034: IBMCloud: Concurrent CRB create 2022-03-09 22:49:10 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-12 04:34:54 UTC

Description Cesar Wong 2020-04-16 21:30:31 UTC
Description of problem:
Mock CSI tests fail on IBM ROKS clusters because of worker kubelet argument:
--enable-controller-attach-detach=false
Without this flag, it is expected that the attach/detach controller will handle volume attachment for a node. But with the flag, it is expected that the node itself have permission to create volume attachments. This permission is not part of the normal system:worker role.

How reproducible:
Always

Steps to Reproduce:
1. Run openshift e2e on IBM ROKS cluster

Actual results:
Mock CSI volume tests fail.

Expected results:
Mock CSI volume tests succeed.

Additional info:
Current workaround is to add a clusterrolebinding with the system:attachdetach-controller role to the system:nodes group.

Comment 1 Christopher J Schaefer 2022-01-27 16:11:26 UTC
This CRB is currently causing failures when testing Openshift IPI deployments on IBM Cloud

Jan 26 19:03:35.981: INFO: ns/openshift-console route/console disruption/ingress-to-console connection/new started responding to GET requests over new connections
[BeforeEach] [Top Level]
  /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/framework.go:1489
[BeforeEach] [Top Level]
  /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/framework.go:1489
[BeforeEach] [Top Level]
  /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/test.go:61
[BeforeEach] [sig-instrumentation] Prometheus
  /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/client.go:140
STEP: Creating a kubernetes client
[AfterEach] [sig-instrumentation] Prometheus
  /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/client.go:138
[AfterEach] [sig-instrumentation] Prometheus
  /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/test/extended/util/client.go:139
fail [github.com/openshift/origin/test/extended/util/ibmcloud/provider.go:54]: Unexpected error:
    <*errors.StatusError | 0xc00014eb40>: {
        ErrStatus: {
            TypeMeta: {Kind: "", APIVersion: ""},
            ListMeta: {
                SelfLink: "",
                ResourceVersion: "",
                Continue: "",
                RemainingItemCount: nil,
            },
            Status: "Failure",
            Message: "clusterrolebindings.rbac.authorization.k8s.io \"e2e-node-attacher\" already exists",
            Reason: "AlreadyExists",
            Details: {
                Name: "e2e-node-attacher",
                Group: "rbac.authorization.k8s.io",
                Kind: "clusterrolebindings",
                UID: "",
                Causes: nil,
                RetryAfterSeconds: 0,
            },
            Code: 409,
        },
    }
    clusterrolebindings.rbac.authorization.k8s.io "e2e-node-attacher" already exists
occurred

failed: (1.2s) 2022-01-26T19:03:36 "[sig-instrumentation] Prometheus when installed on the cluster shouldn't report any alerts in firing state apart from Watchdog and AlertmanagerReceiversNotConfigured [Early] [Skipped:Disconnected] [Suite:openshift/conformance/parallel]"


We should remove this CRB creation for IBM Cloud in favor of the IBM Cloud managed offering (ROKS) finding a proper solution that does not break unmanaged Openshift on IBM Cloud (such as IPI deployment).

Comment 6 errata-xmlrpc 2022-03-12 04:34:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.