+++ This bug was initially created as a clone of Bug #1923096 +++ Description of problem: The daemonSet does not get updated with the new value when the nodeSelector and Tolerations sections of the FileIntegrity object get changed. Version-Release number of selected component (if applicable): 4.7.0-0.nightly-2021-01-31-031653 How reproducible: Always Steps to Reproduce: 1. Deploy File Integrity Operator $ oc get pods -nopenshift-file-integrity -w NAME READY STATUS RESTARTS AGE file-integrity-operator-65db875847-zxlkk 1/1 Running 0 18s $ oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-d7157ff308ddade43a9419e0ced98794 True False False 3 3 3 0 5h31m worker rendered-worker-12392dc145480f768d4cfc43caa8958b True False False 2 2 2 0 5h31m wscan rendered-wscan-aea02f26081e1c2900a8fb21eb67c39c True False False 1 1 1 0 3h26m 2. Create FileIntegrity object $ oc create -f - <<< '{"apiVersion":"fileintegrity.openshift.io/v1alpha1","kind":"FileIntegrity","metadata":{"name":"example-fileintegrity","namespace":"openshift-file-integrity"},"spec":{"nodeSelector":{"node-role.kubernetes.io/worker":""},"config":{}}}' fileintegrity.fileintegrity.openshift.io/example-fileintegrity created $ oc describe ds aide-ds-example-fileintegrity | grep Node-Selector Node-Selector: node-role.kubernetes.io/worker= 3. Check for daemonset and nodeSelector value $ oc get all -nopenshift-file-integrity NAME READY STATUS RESTARTS AGE pod/aide-ds-example-fileintegrity-8chdq 1/1 Running 0 42s pod/aide-ds-example-fileintegrity-c7bmg 1/1 Running 0 42s pod/aide-ds-example-fileintegrity-whs5x 1/1 Running 0 42s pod/file-integrity-operator-65db875847-zxlkk 1/1 Running 0 4m51s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/file-integrity-operator-metrics ClusterIP 172.30.212.144 <none> 8383/TCP,8686/TCP 4m19s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/aide-ds-example-fileintegrity 3 3 3 3 3 node-role.kubernetes.io/worker= 43s <<----- NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/file-integrity-operator 1/1 1 1 5m14s NAME DESIRED CURRENT READY AGE replicaset.apps/file-integrity-operator-65db875847 1 1 1 5m16s 4. Patch the FileIntegrity object with another nodeSelector value i.e wscan $ oc patch fileintegrities.fileintegrity.openshift.io example-fileintegrity --type json --patch='[{"op":"remove","path":"/spec/nodeSelector/node-role.kubernetes.io~1worker"},{"op":"add","path":"/spec/nodeSelector/node-role.kubernetes.io~1wscan","value":""}]' fileintegrity.fileintegrity.openshift.io/example-fileintegrity patched 5. Check daemonset pod if the nodeSelector value get changed to wscan $ oc describe ds aide-ds-example-fileintegrity | grep Node-Selector Node-Selector: node-role.kubernetes.io/worker= Actual results: The daemonSet does not get updated with the new value when the nodeSelector and Tolerations sections of the FileIntegrity object get changed. Expected results: The daemonSet should get updated with the new value when the nodeSelector and Tolerations sections of the FileIntegrity object get changed. Additional info:
[ Bug Verification ] This looks good to me. Now, the daemonSet gets udated with the new value when the nodeSelector and Tolerations sections of the FileIntegrity object get changed. Verified On: 4.6.0-0.nightly-2021-02-04-001315 file-integrity-operator.v0.1.10 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.6.0-0.nightly-2021-02-04-001315 True False 43m Cluster version is 4.6.0-0.nightly-2021-02-04-001315 $ oc get csv NAME DISPLAY VERSION REPLACES PHASE file-integrity-operator.v0.1.10 File Integrity Operator 0.1.10 Succeeded $ oc get pods NAME READY STATUS RESTARTS AGE file-integrity-operator-54fbb9f57d-rtqfl 1/1 Running 0 73s $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-148-15.us-east-2.compute.internal Ready master 83m v1.19.0+e49167a ip-10-0-159-91.us-east-2.compute.internal Ready worker 78m v1.19.0+e49167a ip-10-0-181-179.us-east-2.compute.internal Ready master 79m v1.19.0+e49167a ip-10-0-190-177.us-east-2.compute.internal Ready worker 78m v1.19.0+e49167a ip-10-0-197-78.us-east-2.compute.internal Ready master 79m v1.19.0+e49167a ip-10-0-216-202.us-east-2.compute.internal Ready worker 74m v1.19.0+e49167a $ oc label node ip-10-0-216-202.us-east-2.compute.internal node-role.kubernetes.io/wscan= node/ip-10-0-216-202.us-east-2.compute.internal labeled $ oc create -f - <<EOF > apiVersion: machineconfiguration.openshift.io/v1 > kind: MachineConfigPool > metadata: > name: wscan > spec: > machineConfigSelector: > matchExpressions: > - {key: machineconfiguration.openshift.io/role, operator: In, values: [worker,wscan]} > nodeSelector: > matchLabels: > node-role.kubernetes.io/wscan: "" > EOF machineconfigpool.machineconfiguration.openshift.io/wscan created $ oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-f8682511c5881cce62d95028f21cca5a True False False 3 3 3 0 85m worker rendered-worker-b8e61456e95ac919df983c13631a762c True False False 2 2 2 0 85m wscan rendered-wscan-b8e61456e95ac919df983c13631a762c True False False 1 1 1 0 2m30s $ oc create -f - <<< '{"apiVersion":"fileintegrity.openshift.io/v1alpha1","kind":"FileIntegrity","metadata":{"name":"example-fileintegrity","namespace":"openshift-file-integrity"},"spec":{"nodeSelector":{"node-role.kubernetes.io/worker":""},"config":{}}}' fileintegrity.fileintegrity.openshift.io/example-fileintegrity created $ oc get pods NAME READY STATUS RESTARTS AGE aide-ds-example-fileintegrity-gd2tv 1/1 Running 0 36s aide-ds-example-fileintegrity-ljkvx 1/1 Running 0 36s aide-ds-example-fileintegrity-rjhmz 1/1 Running 0 36s file-integrity-operator-54fbb9f57d-rtqfl 1/1 Running 0 18m $ oc describe ds aide-ds-example-fileintegrity | grep Node-Selector Node-Selector: node-role.kubernetes.io/worker= $ oc get ds NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE aide-ds-example-fileintegrity 3 3 3 3 3 node-role.kubernetes.io/worker= 70s $ oc patch fileintegrities.fileintegrity.openshift.io example-fileintegrity --type json --patch='[{"op":"remove","path":"/spec/nodeSelector/node-role.kubernetes.io~1worker"},{"op":"add","path":"/spec/nodeSelector/node-role.kubernetes.io~1wscan","value":""}]' fileintegrity.fileintegrity.openshift.io/example-fileintegrity patched $ oc get ds NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE aide-ds-example-fileintegrity 1 1 0 0 0 node-role.kubernetes.io/wscan= 91s $ oc describe ds aide-ds-example-fileintegrity | grep Node-Selector Node-Selector: node-role.kubernetes.io/wscan= $ oc get fileintegrities.fileintegrity.openshift.io example-fileintegrity -o json |grep -A 2 "nodeSelector"|tail -4 -- "nodeSelector": { "node-role.kubernetes.io/wscan": "" }, $ oc logs file-integrity-operator-54fbb9f57d-rtqfl |grep nodeSelector {"level":"info","ts":1612429024.8492694,"logger":"controller_fileintegrity","msg":"FileIntegrity needed nodeSelector update","Request.Namespace":"openshift-file-integrity","Request.Name":"example-fileintegrity"} $ oc get fileintegrities.fileintegrity.openshift.io example-fileintegrity -o json |grep -A 5 "tolerations" |tail -7 -- "tolerations": [ { "effect": "NoSchedule", "key": "node-role.kubernetes.io/master", "operator": "Exists" } $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-148-15.us-east-2.compute.internal Ready master 90m v1.19.0+e49167a ip-10-0-159-91.us-east-2.compute.internal Ready worker 85m v1.19.0+e49167a ip-10-0-181-179.us-east-2.compute.internal Ready master 85m v1.19.0+e49167a ip-10-0-190-177.us-east-2.compute.internal Ready worker 85m v1.19.0+e49167a ip-10-0-197-78.us-east-2.compute.internal Ready master 86m v1.19.0+e49167a ip-10-0-216-202.us-east-2.compute.internal Ready worker,wscan 80m v1.19.0+e49167a $ oc adm taint node ip-10-0-216-202.us-east-2.compute.internal key1=value1:NoSchedule node/ip-10-0-216-202.us-east-2.compute.internal tainted $ oc label node ip-10-0-216-202.us-east-2.compute.internal taint=true node/ip-10-0-216-202.us-east-2.compute.internal labeled $ oc patch fileintegrities.fileintegrity.openshift.io example-fileintegrity -p '{"spec": {"tolerations": [{"effect": "NoSchedule","key": "key1","value": "value1","operator": "Equal"}]}}' --type merge fileintegrity.fileintegrity.openshift.io/example-fileintegrity patched $ oc get ds NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE aide-ds-example-fileintegrity 1 1 1 1 1 node-role.kubernetes.io/wscan= 4m12s $ oc get pods NAME READY STATUS RESTARTS AGE aide-ds-example-fileintegrity-dqlbl 1/1 Running 0 13s file-integrity-operator-54fbb9f57d-rtqfl 1/1 Running 0 22m $ oc get ds aide-ds-example-fileintegrity -o yaml |grep -A 5 tolerations|tail -7 -- tolerations: - effect: NoSchedule key: key1 operator: Equal value: value1 volumes: $ oc logs file-integrity-operator-54fbb9f57d-rtqfl|grep tolerations {"level":"info","ts":1612429180.9145136,"logger":"controller_fileintegrity","msg":"FileIntegrity needed tolerations update","Request.Namespace":"openshift-file-integrity","Request.Name":"example-fileintegrity"}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.6 file-integrity-operator image security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0568