Bug 1868478 - Cluster version operator does not manage shareProcessNamespace on pods and their consumers
Summary: Cluster version operator does not manage shareProcessNamespace on pods and th...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cluster Version Operator
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.5.z
Assignee: Vadim Rutkovsky
QA Contact: Wenjing Zheng
Depends On: 1866554
TreeView+ depends on / blocked
Reported: 2020-08-12 19:22 UTC by OpenShift BugZilla Robot
Modified: 2020-09-08 10:55 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: CVO was not syncing shareProcessNamespace parameter in pod spec Consequence: registry operator didn't get shareProcessNamespace setting updated, so the watchdog was miconfigured Fix: CVO synced shareProcessNamespace, DNSPolicy and TerminationGracePeriodSeconds Result: registry operator got updated properly
Clone Of:
Last Closed: 2020-09-08 10:54:46 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github openshift cluster-version-operator pull 433 None closed Bug 1868478: lib/resourcemerge/core: set ShareProcessNamespace, DNSConfig and TerminationGracePeriodSeconds 2020-09-08 03:55:09 UTC
Red Hat Product Errata RHBA-2020:3510 None None None 2020-09-08 10:55:29 UTC

Description OpenShift BugZilla Robot 2020-08-12 19:22:57 UTC
+++ This bug was initially created as a clone of Bug #1866554 +++

The image-registry folks added shareProcessNamespace to a Deployment between 4.1 and 4.2:

$ git --no-pager log --oneline -G shareProcessNamespace origin/release-4.2..origin/master -- manifests
...no hits...
$ git --no-pager log --oneline -G shareProcessNamespace origin/release-4.1..origin/master -- manifests
cc9e9fe05 (origin/pr/364) Integrating watchdog as a sidecar to registry operator.
3803d25ff Revert "Integrating watchdog as a sidecar to registry operator."
ffbb403ef (origin/pr/342) Integrating watchdog as a sidecar to registry operator.

But the CVO does not reconcile that property today.  That means that whatever the value was when the manifest was created would be preserved regardless of the value in future manifests.  We should start reconciling this property and probably audit for other missing pod properties, and then port that fix back probably as far as we can excepting end-of-life versions.

Spun out from bug 1857782.

Comment 1 W. Trevor King 2020-08-21 22:25:57 UTC
Waiting for bug 1866554 to be verified.

Comment 5 Wenjing Zheng 2020-08-31 14:04:19 UTC
Verified with this upgrade path: 4.1.41->4.2.36->4.3.33->4.4.18->4.5.0-0.nightly-2020-08-29-080432
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.5.0-0.nightly-2020-08-29-080432   True        False         5m32s   Cluster version is 4.5.0-0.nightly-2020-08-29-080432
$ oc -n openshift-image-registry get -o jsonpath='{.spec.template.spec.shareProcessNamespace}{"\n"}' deployment cluster-image-registry-operator

Comment 7 errata-xmlrpc 2020-09-08 10:54:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.8 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.