Description of problem:
In 4.8, the authentication operator configures authentication.spec.webhookTokenAuthenticator, which in turn causes kube-apiserver to rollout with webhook authentication configured towards the oauth-apiservers. However, during upgrade, the configuration event might precede the oauth-apiservers to be fully rolled out, and so authentication may not work properly.
Make sure the authentication.spec.webhookTokenAuthenticator is not set when there are still some oauth-apiserver replicas that are not ready during an update.
Also make sure that once kube-apiserver observes the webhook authenticators configuration, configuring oauth.spec.tokenConfig.accessTokenInactivityTimeout causes no new kube-apiserver rollouts since this configuration no longer should have any effect on kube-apiserver.
Version-Release number of selected component (if applicable):
Steps to Reproduce, Actual results, Expected results:
As discussed in Slack, this is a blocker.
moving back to ASSIGNED, the original patch was wrong and would prevent webhook authenticators from being configured
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.