Description of problem: The node-ca daemonset tolerations don't match expected configuration from the operator. Version-Release number of selected component (if applicable): 4.5.16 How reproducible: Unknown Steps to Reproduce: 1. 2. 3. Actual results: apiVersion: apps/v1 kind: DaemonSet metadata: annotations: deprecated.daemonset.template.generation: "4472" creationTimestamp: "2019-06-20T15:59:21Z" generation: 4472 name: node-ca namespace: openshift-image-registry resourceVersion: "541513829" selfLink: /apis/apps/v1/namespaces/openshift-image-registry/daemonsets/node-ca uid: 5e1dc93b-9374-11e9-8e82-02f26c1531a4 spec: revisionHistoryLimit: 10 selector: matchLabels: name: node-ca template: metadata: creationTimestamp: null labels: name: node-ca spec: containers: - command: - /bin/sh - -c - | while [ true ]; do for f in $(ls /tmp/serviceca); do echo $f ca_file_path="/tmp/serviceca/${f}" f=$(echo $f | sed -r 's/(.*)\.\./\1:/') reg_dir_path="/etc/docker/certs.d/${f}" if [ -e "${reg_dir_path}" ]; then cp -u $ca_file_path $reg_dir_path/ca.crt else mkdir $reg_dir_path cp $ca_file_path $reg_dir_path/ca.crt fi done for d in $(ls /etc/docker/certs.d); do echo $d dp=$(echo $d | sed -r 's/(.*):/\1\.\./') reg_conf_path="/tmp/serviceca/${dp}" if [ ! -e "${reg_conf_path}" ]; then rm -rf /etc/docker/certs.d/$d fi done sleep 60 done image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:313e7b5a1e8d45f529e75c1726f9791c915ddebb168e34d75a1220e64d19b0ba imagePullPolicy: IfNotPresent name: node-ca resources: {} securityContext: privileged: true procMount: Default terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /tmp/serviceca name: serviceca - mountPath: /etc/docker/certs.d name: host dnsPolicy: ClusterFirst nodeSelector: beta.kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: node-ca serviceAccountName: node-ca terminationGracePeriodSeconds: 30 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists volumes: - hostPath: path: /etc/docker/certs.d type: "" name: host - configMap: defaultMode: 420 name: image-registry-certificates name: serviceca updateStrategy: rollingUpdate: maxUnavailable: 1 type: RollingUpdate status: currentNumberScheduled: 10 desiredNumberScheduled: 10 numberAvailable: 10 numberMisscheduled: 0 numberReady: 10 observedGeneration: 4472 updatedNumberScheduled: 10 Expected results: https://github.com/openshift/cluster-image-registry-operator/blob/d9969bbbf8b5ac89e9e1aee5ca3a6319f37cb1e6/bindata/nodecadaemon.yaml#L18-L19 Additional info:
Workaround: The node-ca daemonset can be patched with the following: oc patch -n openshift-image-registry daemonset/node-ca --type=merge -p '{"spec":{"template":{"spec":{"tolerations":[{"operator":"Exists"}]}}}}'
As 4.5 has reached its Maintenance Support phase and this is a medium severity BZ with a workaround, we are not going to fix it.