Bug 1921894 - Backport Avoid node disruption when kube-apiserver-to-kubelet-signer is rotated
Summary: Backport Avoid node disruption when kube-apiserver-to-kubelet-signer is rotated
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Machine Config Operator
Version: 4.7
Hardware: All
OS: Linux
Target Milestone: ---
: 4.8.0
Assignee: Yu Qi Zhang
QA Contact: Michael Nguyen
Depends On:
Blocks: 1939278
TreeView+ depends on / blocked
Reported: 2021-01-28 19:03 UTC by Jeremy Eder
Modified: 2021-11-02 07:08 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1939278 (view as bug list)
Last Closed: 2021-07-27 22:37:10 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift machine-config-operator pull 2398 0 None closed Add kubelet CA to no-reboot action list/Do not drain for non-reboot actions 2021-03-15 22:12:39 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:37:37 UTC

Comment 13 Michael Nguyen 2021-03-16 16:53:46 UTC
Verified on 4.8.0-0.nightly-2021-03-16-111809.  

Watched `oc get nodes` and `oc get mcp` then ran `oc patch secret -p='{"metadata": {"annotations": {"auth.openshift.io/certificate-not-after": null}}}' kube-apiserver-to-kubelet-signer -n openshift-kube-apiserver-operator`.

Observed node nodes stayed ready and control + compute machine config pools quickly went from Updating to Updated (under 30 seconds).

Comment 19 errata-xmlrpc 2021-07-27 22:37:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.