Bug 1876791 - Rebase CSI sidecars for 4.6
Summary: Rebase CSI sidecars for 4.6
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.6.0
Assignee: Jan Safranek
QA Contact: Qin Ping
URL:
Whiteboard:
: 1879222 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-08 07:53 UTC by Jan Safranek
Modified: 2020-09-17 14:57 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift aws-ebs-csi-driver-operator pull 87 None closed Bug 1876791: Update provisioner container to v2.0.0 2020-09-14 08:46:44 UTC
Github openshift aws-ebs-csi-driver-operator pull 89 None closed Bug 1876791: Add default fsType to provisioned PVs 2020-09-14 08:46:45 UTC
Github openshift csi-driver-manila-operator pull 60 None closed Bug 1876791: Update RBAC of the external-provisioner 2020-09-16 14:18:14 UTC
Github openshift csi-external-provisioner pull 31 None closed Bug 1876791: Rebase to v2.0.0 2020-09-14 08:46:45 UTC
Github openshift csi-external-resizer pull 112 None closed Bug 1876791: Rebase to v1.0.0 2020-09-14 08:46:43 UTC
Github openshift csi-node-driver-registrar pull 21 None closed Bug 1876791: Rebase to v2.0.1 2020-09-14 08:46:43 UTC
Github openshift ovirt-csi-driver-operator pull 27 None closed Bug 1876791: Update provisioner container to v2.0.0 2020-09-14 08:46:42 UTC

Description Jan Safranek 2020-09-08 07:53:21 UTC
Rebase these CSI sidecars to final upstream 1.19 versions:

- external-attacher: https://github.com/openshift/csi-external-attacher/pull/22
- external-provisioner: https://github.com/openshift/csi-external-provisioner/pull/31
- node-driver-registrar: https://github.com/openshift/csi-node-driver-registrar/pull/21
- external-resizer: https://github.com/openshift/csi-external-resizer/pull/112 
- external-snapshotter: waiting for upstream release, will be done in a separate BZ

Right now, we have various release candidates present in OCP 4.6, which may make their maintenance difficult.

Comment 1 Jan Safranek 2020-09-08 08:47:31 UTC
Created https://bugzilla.redhat.com/show_bug.cgi?id=1876810 to track the external-snapshotter.

Comment 2 Jan Safranek 2020-09-09 13:36:20 UTC
Rebase of the external-provisioner causes fsType of provisioned PVs to be empty. We need to fix AWS EBS CSI driver operator to restore the fsType: https://bugzilla.redhat.com/show_bug.cgi?id=1876791

Comment 3 Jan Safranek 2020-09-09 13:37:14 UTC
Correction: We need to fix AWS EBS CSI driver operator to restore the fsType: https://github.com/openshift/aws-ebs-csi-driver-operator/pull/89

Comment 6 Qin Ping 2020-09-11 05:23:44 UTC
Looks like PR: https://github.com/openshift/csi-external-provisioner/pull/31/files makes manila csi driver controllers does not work.

Can not provide PVC, get the following error from csi-provisioner container:
E0911 02:27:36.082246       1 reflector.go:127] k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.VolumeAttachment: failed to list *v1.VolumeAttachment: volumeattachments.storage.k8s.io is forbidden: User "system:serviceaccount:openshift-manila-csi-driver:manila-csi-driver-controller-sa" cannot list resource "volumeattachments" in API group "storage.k8s.io" at the cluster scope

$ oc get clusterrolebindings manila-controller-privileged-binding -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2020-09-11T01:11:56Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: csi-driver-manila-operator
    operation: Update
    time: "2020-09-11T01:11:56Z"
  name: manila-controller-privileged-binding
  resourceVersion: "7251"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/manila-controller-privileged-binding
  uid: fee81456-b416-4911-bdd4-00f7c6512d54
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manila-privileged-role
subjects:
- kind: ServiceAccount
  name: manila-csi-driver-controller-sa
  namespace: openshift-manila-csi-driver

$ oc get clusterrole manila-privileged-role -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2020-09-11T01:11:55Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: csi-driver-manila-operator
    operation: Update
    time: "2020-09-11T01:11:55Z"
  name: manila-privileged-role
  resourceVersion: "7238"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/manila-privileged-role
  uid: 341346b4-cb11-4ada-8e2c-016f02a6ad2e
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - privileged
  resources:
  - securitycontextconstraints
  verbs:
  - use

Comment 7 Jan Safranek 2020-09-11 12:32:17 UTC
Good catch with Manila RBAC bug! We don't have CI for Manila, so please re-test it manually. Similar issues should be caught by CI for AWS and most probably for oVirt too (it's quite unstable due to resource restrictions)

Comment 9 Qin Ping 2020-09-15 03:23:58 UTC
Verified with: 4.6.0-0.nightly-2020-09-12-164537

Comment 10 Martin André 2020-09-17 14:57:01 UTC
*** Bug 1879222 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.