Bug 1858800 - rangeallocations.data is never updated when a project is removed
Summary: rangeallocations.data is never updated when a project is removed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-controller-manager
Version: 4.2.z
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.4.z
Assignee: Maciej Szulik
QA Contact: RamaKasturi
URL:
Whiteboard:
Depends On: 1858798
Blocks: 1858802
TreeView+ depends on / blocked
 
Reported: 2020-07-20 12:39 UTC by Maciej Szulik
Modified: 2020-08-18 11:46 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: UID range allocation is never updated when a project is removed. Only restarting kube-controller-manager pod was triggering repair procedure which was clearing that range. Consequence: It is possible to exhaust the UID range on cluster with high namespace create+remove turnover. Fix: Periodically run the repair job. Result: The UID range allocation should be freed periodically (currently every 8 hours) which should not require additional kube-controller-manager restarts. It should also ensure that the range is not exhausted.
Clone Of: 1858798
: 1858802 (view as bug list)
Environment:
Last Closed: 2020-08-18 11:45:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-policy-controller pull 33 0 None closed [release-4.4] Bug 1858800: add UID deallocation logic 2020-10-08 01:33:50 UTC
Red Hat Product Errata RHBA-2020:3334 0 None None None 2020-08-18 11:46:11 UTC

Comment 3 RamaKasturi 2020-08-11 09:10:06 UTC 
Verified the bug in the payload below and i see that range allocations is updated when a project is removed.

[ramakasturinarra@dhcp35-60 ~]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.4.0-0.nightly-2020-08-07-130733   True        False         41h     Cluster version is 4.4.0-0.nightly-2020-08-07-130733

steps followed to verify the bug:
====================================
1) check projects and rangeallocations before creation & deletion of project

[ramakasturinarra@dhcp35-60 ~]$ oc get projects | wc -l
58

[ramakasturinarra@dhcp35-60 ~]$ oc get rangeallocations scc-uid -o yaml | grep -o "/" | wc -l
15

2) check projects and rangellocations after creation & deletion of 10K projects.

[ramakasturinarra@dhcp35-60 ~]$ oc get projects | wc -l
58

[ramakasturinarra@dhcp35-60 ~]$ oc get rangeallocations scc-uid -o yaml | grep -o "/" | wc -l
346
[ramakasturinarra@dhcp35-60 ~]$ oc get rangeallocations scc-uid -o yaml
apiVersion: security.openshift.io/v1
data: AVVVtVtVWq13batq2qv2q1Vd1Vq1XVVtW1VtW1qqurVVXa1vbrVV1vVrVfaqrW1q3VVVVVVWqvVra91dVVVXa9WqqtVVVVV6uqvrVWrqqrXaq22tqrVVVVVWqq6rVra1Varrtaqta6qrdrqqrVuqtVqrq7drqq7a6qtVaq7VVdWqqrdXq1WrWqqrVVWq2rVd1qqu1VVavW1tbVXXdWquq1VbatVq622qqqq1qqq1XVVbXVVWt2uruqqqqqrWqqqq7VdVVVVVq3qtVaqtqqraq1aqtVVa9a1dt16q91WrbVbWtrVVVXW3Vaqr1a6qrqrutWquurqrWuq61a2q11qqqtbW7VtVqtW1aq7VVVa1q6utVqrVaqrutVVVqqq1XVtq2qrrV1Vq3VqrWtdtata2qqqrWr1Wr2tWq1bttVVVrq7WtV21VrVeqqqtatfrXq1Vaqq1qqq1dauq1VVq1VVbVa1W1Va1barVqtVaqqt61VVWqqtVa2tatqrVVrVVVtq3uvtruqq1rVXW1a1qqqrVrvVVf3f3///d/d///f/d93ff773u/7vu73f93/3u9//f3v3v7u9/vv7/v97u/e99+773d97+//3333d77u737/fd7u/v3f+/3e79973vu733f3d3fu/vv+7vd3u99++7+7vvu993777/u9397u73d+99+7/d3v73v/vf/3e7vd+73f97373fe7/f93ff3+77733d39+7/v7+/777u7+/vf99399/d9/u/v9/+9/+7vu/f3+97/v73+7vf7/v77u++/d3u/7797vff977v3v77vu/vd/e73d3/v/v93e+//93+9/fe7vu/d73+7u7vvd3v77v393ffd3f3fu+97vffe997vv3733d77v7vfd++733d39339/3d+7u7/e/u+/7v3d9/3e93d9/3fd793vu9/e+93e/u+/e7vd/vf3+/d3u/v+/v7/e7+/9/u7u+7u/ff33e7+79793f93973ff73d3/33e7793+7v7v973v3e7u77u+97/7+7v93f3fu7vd/ve7v3e+979+77+7vd3v+/+9/9/u7u9/7/739+/ffu9797393vvu7vv77++7+93e7vfve73d3d7u733997vd/fd997/7u9+7vf933//u/u/vd737+99733f7/f993vv3d7733vfve93vd773u/733u73u99377u/d3379/73d7u/77v7v3f+9+9+73/e+/e+/v393fd93vf3ffe73d33e9373vvv/u7++73v77vvd773d7vvvvvd3d++7+7v/f+73f/f/e73vd779+973373d/f/d3f393vd+/9793d393v3e+/vu+93e+/fd79+77v7vf33/u/333+7u7333d7u9/7u93e793f//3+73d7/733397vv/9797v7vv7ve//979/vf+7vd/333fd3d+7v3f37/d39+77v9+/f37933d3793vd7393fd73vu+7vd33fu/e+/v++7337vvvd33ff399/333u99/vu7+7vv3e7u93+/33737+7vfvu7/v3fd+73ffe9/d/d3fve++77vf3v3d37u+/fvv9+7+/e/f//+/vv/93/7u7933fd7v9377u/99373vfd/v++97u73d933u77373d/37u++77vvfd379/e/97+7ve+/ff3v3+9733d/3u/vu/e97ve+/d+7vv37v97/e/3vd/v37vfu9/d3e/7u/3u/d7u/f73ff993e77+7393ffd7vd+7v3u/ff3u7vvvu97u/u/e/d9979+7393fvd+/93v3ff7vu7/e7u7v393/ve73+//ve9+733v/73f/d3337993/d9/d33vvv/f/fd7vve73/733d3ve7u+9+9/ve+7vd+/3d+77/f/d3d3vfd7+993fe/d3d7/f73ffv/9+7+7+7+9/f3vvfu+7/f7v3fe+77v/u773d337u/3/v3v97v++/ve7+7++/vvu77+7/d+/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////8=
kind: RangeAllocation
metadata:
  creationTimestamp: "2020-08-09T15:23:52Z"
  name: scc-uid
  resourceVersion: "1410655"
  selfLink: /apis/security.openshift.io/v1/rangeallocations/scc-uid
  uid: 95364728-0f1b-4e29-9927-eee7ab4720d4
range: 1000000000-1999999999/10000


[ramakasturinarra@dhcp35-60 ~]$ oc get rangeallocations scc-uid -o yaml | grep -o "/" | wc -l
15

[ramakasturinarra@dhcp35-60 ~]$ oc get projects | wc -l
58

[ramakasturinarra@dhcp35-60 ~]$ oc get rangeallocations scc-uid -o yaml
apiVersion: security.openshift.io/v1
data: Af////////8=
kind: RangeAllocation
metadata:
  creationTimestamp: "2020-08-09T15:23:52Z"
  name: scc-uid
  resourceVersion: "1764953"
  selfLink: /apis/security.openshift.io/v1/rangeallocations/scc-uid
  uid: 95364728-0f1b-4e29-9927-eee7ab4720d4
range: 1000000000-1999999999/10000

Based on the above moving the bug to verified state.
Comment 5 errata-xmlrpc 2020-08-18 11:45:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.4.17 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3334
Note You need to log in before you can comment on or make changes to this bug.