Bug 1905298 - openshift-apiserver initContainer fix-audit-permissions is not requesting required resources: cpu, memory
Summary: openshift-apiserver initContainer fix-audit-permissions is not requesting req...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: openshift-apiserver
Version: 4.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Luis Sanchez
QA Contact: Ke Wang
Whiteboard: LifecycleReset
Depends On:
TreeView+ depends on / blocked
Reported: 2020-12-08 01:20 UTC by W. Trevor King
Modified: 2021-02-24 15:40 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-02-24 15:40:33 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-openshift-apiserver-operator pull 428 0 None closed Bug 1905298: openshift-apiserver initContainer fix-audit-permissions is not requesting required resources: cpu, memory 2021-02-02 09:10:17 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:40:50 UTC

Description W. Trevor King 2020-12-08 01:20:26 UTC
Per Clayton, initContainers must set both of these going forward [1], while [2] is showing:

openshift-apiserver/apiserver-6cf9ccc477-c7brk container initContainers[0] (fix-audit-permissions) is not requesting required resources: cpu, memory
openshift-apiserver/apiserver-6cf9ccc477-hd77c container initContainers[0] (fix-audit-permissions) is not requesting required resources: cpu, memory
openshift-apiserver/apiserver-6cf9ccc477-m898c container initContainers[0] (fix-audit-permissions) is not requesting required resources: cpu, memory

as part of failing:

  [sig-arch] Managed cluster should ensure control plane containers have requests set for cpu and memory [Suite:openshift/conformance/parallel]

origin/25747 is in flight to transition an existing, but overly relaxed, test-case to explicitly require both requests on all containers.  Any components which have not been fixed after an initial pass will have temporary exceptions linked to their tracking bugs when the stricter test lands.

[1]: https://github.com/openshift/enhancements/blob/master/CONVENTIONS.md#resources-and-limits
[2]: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/25747/pull-ci-openshift-origin-master-e2e-gcp/1336048716389289984

Comment 1 Michal Fojtik 2021-01-07 01:24:32 UTC
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.

Comment 2 Michal Fojtik 2021-01-27 18:15:40 UTC
The LifecycleStale keyword was removed because the needinfo? flag was reset.
The bug assignee was notified.

Comment 4 Ke Wang 2021-02-03 10:46:28 UTC
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-02-02-223803   True        False         7h3m    Cluster version is 4.7.0-0.nightly-2021-02-02-223803

$ oc get pods -n openshift-apiserver
NAME                         READY   STATUS    RESTARTS   AGE
apiserver-68b8f4d445-khj5z   2/2     Running   0          3h28m
apiserver-68b8f4d445-qrww4   2/2     Running   0          3h27m
apiserver-68b8f4d445-wgbfq   2/2     Running   0          3h31m

$ oc get pod -n openshift-apiserver apiserver-68b8f4d445-khj5z -o json | jq .spec.initContainers
    "command": [
      "chmod 0700 /var/log/openshift-apiserver && touch /var/log/openshift-apiserver/audit.log && chmod 0600 /var/log/openshift-apiserver/*"
    "image": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c9378bf77e687e3522d733bcea27cfa5009aade3b4420a2bcbfdc00e1e242e1a",
    "imagePullPolicy": "IfNotPresent",
    "name": "fix-audit-permissions",
    "resources": {
      "requests": {
        "cpu": "15m",
        "memory": "50Mi"
    "securityContext": {
      "privileged": true
    "terminationMessagePath": "/dev/termination-log",
    "terminationMessagePolicy": "FallbackToLogsOnError",
    "volumeMounts": [
        "mountPath": "/var/log/openshift-apiserver",
        "name": "audit-dir"
        "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
        "name": "openshift-apiserver-sa-token-dr2fc",
        "readOnly": true

The initContainers of apiserver pod is started with required cpu and memory resource, so move the bug VERIFIED.

Comment 7 errata-xmlrpc 2021-02-24 15:40:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.