Description of problem: In 4.8, the authentication operator configures authentication.spec.webhookTokenAuthenticator, which in turn causes kube-apiserver to rollout with webhook authentication configured towards the oauth-apiservers. However, during upgrade, the configuration event might precede the oauth-apiservers to be fully rolled out, and so authentication may not work properly. Make sure the authentication.spec.webhookTokenAuthenticator is not set when there are still some oauth-apiserver replicas that are not ready during an update. Also make sure that once kube-apiserver observes the webhook authenticators configuration, configuring oauth.spec.tokenConfig.accessTokenInactivityTimeout causes no new kube-apiserver rollouts since this configuration no longer should have any effect on kube-apiserver. Version-Release number of selected component (if applicable): 4.8 How reproducible: sometimes Steps to Reproduce, Actual results, Expected results: described above
As discussed in Slack, this is a blocker.
moving back to ASSIGNED, the original patch was wrong and would prevent webhook authenticators from being configured
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438