In order to resolve bug 1896226 and remove the templates from master nodes, the KCM operator needs to render the templates itself so that KCM can use them accordingly.
Verified pass on 4.7.0-0.nightly-2021-01-07-181010 @Fabio, before changing the status, could you help confirm if I miss something? Also, I understand it will bring any side-impact for the upgrade. 1. On master node: sh-4.4# ls -l /etc/kubernetes/recycler-pod.yaml -rw-r--r--. 1 root root 699 Jan 8 03:16 /etc/kubernetes/recycler-pod.yaml 2. Check CM $ oc get cm recycler-config -n openshift-kube-controller-manager NAME DATA AGE recycler-config 1 4h49m 3. Check nfs recycler works openshift-infra recycler-for-pv-nfs 0/1 Pending 0 0s openshift-infra recycler-for-pv-nfs 0/1 Pending 0 0s openshift-infra recycler-for-pv-nfs 0/1 ContainerCreating 0 0s openshift-infra recycler-for-pv-nfs 0/1 ContainerCreating 0 2s openshift-infra recycler-for-pv-nfs 0/1 Completed 0 3s openshift-infra recycler-for-pv-nfs 0/1 Terminating 0 3s openshift-infra recycler-for-pv-nfs 0/1 Terminating 0 3s [wduan@MINT ~]$ oc -n openshift-infra get pod recycler-for-pv-nfs -o yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: "2021-01-08T07:02:11Z" spec: activeDeadlineSeconds: 300 containers: - args: - -c - test -e /scrub && rm -rf /scrub/..?* /scrub/.[!.]* /scrub/* && test -z "$(ls -A /scrub)" || exit 1 command: - /bin/bash image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b622a9cc4513ff1e1e5b973d0870398a1a8d840e4f28a4e74cd0bf8a194fd447 imagePullPolicy: IfNotPresent name: recycler-container resources: {} securityContext: runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /scrub name: vol - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: pv-recycler-controller-token-bn2sp readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true imagePullSecrets: - name: pv-recycler-controller-dockercfg-nkmvn nodeName: wduan-0108a-mwgzt-worker-0 preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Never schedulerName: default-scheduler securityContext: {} serviceAccount: pv-recycler-controller serviceAccountName: pv-recycler-controller terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - name: vol nfs: path: / server: 172.30.31.67 - name: pv-recycler-controller-token-bn2sp secret: defaultMode: 420 secretName: pv-recycler-controller-token-bn2sp
@Wei I think your evaluation is correct, except for step 1: the recycler template should be projected in the /etc/kubernetes/static-pod-resources/configmaps/ directory in the KCM operator pod.
@Wei, just to clarify, the template you found on the master node (/etc/kubernetes/recycler-pod.yaml) was placed there by machine-config-operator, and we plan to remove once the PR above is backported to 4.6.
Thanks @Fabio, I changed status to VERIFIED. $ oc rsh kube-controller-manager-ip-10-0-195-233.us-west-2.compute.internal Defaulting container name to kube-controller-manager. Use 'oc describe pod/kube-controller-manager-ip-10-0-195-233.us-west-2.compute.internal -n openshift-kube-controller-manager' to see all of the containers in this pod. sh-4.4# ls /etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml /etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633