1923847 – Error occurs when creating pods if configuring multiple key-only labels in default cluster-wide node selectors or project-wide node selectors

Bug 1923847 - Error occurs when creating pods if configuring multiple key-only labels in default cluster-wide node selectors or project-wide node selectors

Summary: Error occurs when creating pods if configuring multiple key-only labels in de...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	openshift-apiserver
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Stefan Schimanski
QA Contact:	Xingxing Xia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-02 05:12 UTC by yhe
Modified:	2024-03-25 18:04 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-27 22:37:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift apiserver-library-go pull 48	None	open	Bug 1923847: labelselector: fix empty value parsing	2021-04-26 11:59:56 UTC
Github	openshift kubernetes pull 708	None	open	Bug 1923847: openshift-kube-apiserver: use github.com/openshift/apiserver-library-go/pkg/labelselector	2021-04-26 13:37:18 UTC
Github	openshift openshift-apiserver pull 204	None	open	Bug 1923847: Use github.com/openshift/apiserver-library-go/pkg/labelselector	2021-04-26 13:37:01 UTC
Red Hat Product Errata	RHSA-2021:2438	None	None	None	2021-07-27 22:38:06 UTC

Description yhe 2021-02-02 05:12:49 UTC

Description of problem:
An error occurs when creating pods if configuring multiple key-only labels in default cluster-wide node selectors or project-wide node selectors.

$ oc edit namespace test
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/node-selector: node-role.kubernetes.io/test=,node-role.kubernetes.io/worker=

$ oc describe replicaset httpd-7866578b78
Events:
  Type     Reason        Age                From                   Message
  ----     ------        ----               ----                   -------
  Warning  FailedCreate  8s (x11 over 14s)  replicaset-controller  Error creating: unable to parse requirement: found ',', expected: identifier

If only the last label is a key-only label and the other labels are key=value labels, everything goes fine.

$ oc edit namespace test
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/node-selector: node-role.kubernetes.io/test=true,node-role.kubernetes.io/worker=

$ oc describe replicaset httpd-7866578b78
Events:
  Type    Reason            Age   From                   Message
  ----    ------            ----  ----                   -------
  Normal  SuccessfulCreate  19s   replicaset-controller  Created pod: httpd-7866578b78-kkmdt

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Configure default cluster-wide node selectors or project-wide node selectors with multiple key-only labels

2. Create a test app

e.g. $ oc new-app httpd

3. Check the replicaset status

$ oc describe replicaset httpd-xxxxxxxxxx

Actual results:
Error occurs

Expected results:
Pod get created with the correct node selector and no error occurs

Additional info:

Comment 1 Maciej Szulik 2021-02-02 11:57:33 UTC

Looks like the labelselector parser needs a fix, there are 2 places:
- https://github.com/openshift/openshift-apiserver/tree/master/pkg/apiserver/labelselector/
- https://github.com/openshift/kubernetes/tree/master/openshift-kube-apiserver/admission/scheduler/nodeenv/labelselector/

While at it, I'd suggest maybe moving that code into apiserver-library-go, maybe?

Comment 5 Xingxing Xia 2021-06-28 14:03:59 UTC

Sorry did not timely check it. Was fully occupied by burning down other on_qa bugs and other old and new focused-on work!

Today checked in 4.8.0-0.nightly-2021-06-25-182927:
oc login -u ...
oc new-project xxia-proj
oc edit ns xxia-proj --context admin # add annotation openshift.io/node-selector: node-role.kubernetes.io/test=true,node-role.kubernetes.io/worker=
oc label no ONE_WORKER_NAME node-role.kubernetes.io/test=
oc new-app httpd
oc get po
httpd-78bddd99bc-d2ncc   1/1     Running   0          65s
oc describe rs # did not see above error

Comment 7 errata-xmlrpc 2021-07-27 22:37:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.