Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1858800

Summary: rangeallocations.data is never updated when a project is removed
Product: OpenShift Container Platform Reporter: Maciej Szulik <maszulik>
Component: kube-controller-managerAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: RamaKasturi <knarra>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.2.zCC: aaleman, aos-bugs, arghosh, bleanhar, bmilne, bshirren, calfonso, chuffman, fhirtz, knarra, maszulik, mfojtik, oarribas, pmuller, rhowe, travi, vlaad, wking, yinzhou
Target Milestone: ---   
Target Release: 4.4.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: UID range allocation is never updated when a project is removed. Only restarting kube-controller-manager pod was triggering repair procedure which was clearing that range. Consequence: It is possible to exhaust the UID range on cluster with high namespace create+remove turnover. Fix: Periodically run the repair job. Result: The UID range allocation should be freed periodically (currently every 8 hours) which should not require additional kube-controller-manager restarts. It should also ensure that the range is not exhausted.
 Story Points: ---
Clone Of: 1858798
: 1858802 (view as bug list) Environment:
Last Closed: 2020-08-18 11:45:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1858798    
Bug Blocks: 1858802    

Comment 3 RamaKasturi 2020-08-11 09:10:06 UTC 
Verified the bug in the payload below and i see that range allocations is updated when a project is removed.

[ramakasturinarra@dhcp35-60 ~]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.4.0-0.nightly-2020-08-07-130733   True        False         41h     Cluster version is 4.4.0-0.nightly-2020-08-07-130733

steps followed to verify the bug:
====================================
1) check projects and rangeallocations before creation & deletion of project

[ramakasturinarra@dhcp35-60 ~]$ oc get projects | wc -l
58

[ramakasturinarra@dhcp35-60 ~]$ oc get rangeallocations scc-uid -o yaml | grep -o "/" | wc -l
15

2) check projects and rangellocations after creation & deletion of 10K projects.

[ramakasturinarra@dhcp35-60 ~]$ oc get projects | wc -l
58

[ramakasturinarra@dhcp35-60 ~]$ oc get rangeallocations scc-uid -o yaml | grep -o "/" | wc -l
346
[ramakasturinarra@dhcp35-60 ~]$ oc get rangeallocations scc-uid -o yaml
apiVersion: security.openshift.io/v1
data: AVVVtVtVWq13batq2qv2q1Vd1Vq1XVVtW1VtW1qqurVVXa1vbrVV1vVrVfaqrW1q3VVVVVVWqvVra91dVVVXa9WqqtVVVVV6uqvrVWrqqrXaq22tqrVVVVVWqq6rVra1Varrtaqta6qrdrqqrVuqtVqrq7drqq7a6qtVaq7VVdWqqrdXq1WrWqqrVVWq2rVd1qqu1VVavW1tbVXXdWquq1VbatVq622qqqq1qqq1XVVbXVVWt2uruqqqqqrWqqqq7VdVVVVVq3qtVaqtqqraq1aqtVVa9a1dt16q91WrbVbWtrVVVXW3Vaqr1a6qrqrutWquurqrWuq61a2q11qqqtbW7VtVqtW1aq7VVVa1q6utVqrVaqrutVVVqqq1XVtq2qrrV1Vq3VqrWtdtata2qqqrWr1Wr2tWq1bttVVVrq7WtV21VrVeqqqtatfrXq1Vaqq1qqq1dauq1VVq1VVbVa1W1Va1barVqtVaqqt61VVWqqtVa2tatqrVVrVVVtq3uvtruqq1rVXW1a1qqqrVrvVVf3f3///d/d///f/d93ff773u/7vu73f93/3u9//f3v3v7u9/vv7/v97u/e99+773d97+//3333d77u737/fd7u/v3f+/3e79973vu733f3d3fu/vv+7vd3u99++7+7vvu993777/u9397u73d+99+7/d3v73v/vf/3e7vd+73f97373fe7/f93ff3+77733d39+7/v7+/777u7+/vf99399/d9/u/v9/+9/+7vu/f3+97/v73+7vf7/v77u++/d3u/7797vff977v3v77vu/vd/e73d3/v/v93e+//93+9/fe7vu/d73+7u7vvd3v77v393ffd3f3fu+97vffe997vv3733d77v7vfd++733d39339/3d+7u7/e/u+/7v3d9/3e93d9/3fd793vu9/e+93e/u+/e7vd/vf3+/d3u/v+/v7/e7+/9/u7u+7u/ff33e7+79793f93973ff73d3/33e7793+7v7v973v3e7u77u+97/7+7v93f3fu7vd/ve7v3e+979+77+7vd3v+/+9/9/u7u9/7/739+/ffu9797393vvu7vv77++7+93e7vfve73d3d7u733997vd/fd997/7u9+7vf933//u/u/vd737+99733f7/f993vv3d7733vfve93vd773u/733u73u99377u/d3379/73d7u/77v7v3f+9+9+73/e+/e+/v393fd93vf3ffe73d33e9373vvv/u7++73v77vvd773d7vvvvvd3d++7+7v/f+73f/f/e73vd779+973373d/f/d3f393vd+/9793d393v3e+/vu+93e+/fd79+77v7vf33/u/333+7u7333d7u9/7u93e793f//3+73d7/733397vv/9797v7vv7ve//979/vf+7vd/333fd3d+7v3f37/d39+77v9+/f37933d3793vd7393fd73vu+7vd33fu/e+/v++7337vvvd33ff399/333u99/vu7+7vv3e7u93+/33737+7vfvu7/v3fd+73ffe9/d/d3fve++77vf3v3d37u+/fvv9+7+/e/f//+/vv/93/7u7933fd7v9377u/99373vfd/v++97u73d933u77373d/37u++77vvfd379/e/97+7ve+/ff3v3+9733d/3u/vu/e97ve+/d+7vv37v97/e/3vd/v37vfu9/d3e/7u/3u/d7u/f73ff993e77+7393ffd7vd+7v3u/ff3u7vvvu97u/u/e/d9979+7393fvd+/93v3ff7vu7/e7u7v393/ve73+//ve9+733v/73f/d3337993/d9/d33vvv/f/fd7vve73/733d3ve7u+9+9/ve+7vd+/3d+77/f/d3d3vfd7+993fe/d3d7/f73ffv/9+7+7+7+9/f3vvfu+7/f7v3fe+77v/u773d337u/3/v3v97v++/ve7+7++/vvu77+7/d+/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////8=
kind: RangeAllocation
metadata:
  creationTimestamp: "2020-08-09T15:23:52Z"
  name: scc-uid
  resourceVersion: "1410655"
  selfLink: /apis/security.openshift.io/v1/rangeallocations/scc-uid
  uid: 95364728-0f1b-4e29-9927-eee7ab4720d4
range: 1000000000-1999999999/10000


[ramakasturinarra@dhcp35-60 ~]$ oc get rangeallocations scc-uid -o yaml | grep -o "/" | wc -l
15

[ramakasturinarra@dhcp35-60 ~]$ oc get projects | wc -l
58

[ramakasturinarra@dhcp35-60 ~]$ oc get rangeallocations scc-uid -o yaml
apiVersion: security.openshift.io/v1
data: Af////////8=
kind: RangeAllocation
metadata:
  creationTimestamp: "2020-08-09T15:23:52Z"
  name: scc-uid
  resourceVersion: "1764953"
  selfLink: /apis/security.openshift.io/v1/rangeallocations/scc-uid
  uid: 95364728-0f1b-4e29-9927-eee7ab4720d4
range: 1000000000-1999999999/10000

Based on the above moving the bug to verified state.
Comment 5 errata-xmlrpc 2020-08-18 11:45:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.4.17 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3334