1947165 – multus daemonset doesn't participate in token / ca rotation correctly

Bug 1947165 - multus daemonset doesn't participate in token / ca rotation correctly

Summary: multus daemonset doesn't participate in token / ca rotation correctly

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Douglas Smith
QA Contact:	Weibin Liang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-07 19:51 UTC by Douglas Smith
Modified:	2021-10-13 13:54 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-13 13:54:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Douglas Smith 2021-04-07 19:51:14 UTC

Description of problem: The Multus CNI entrypoint script does not account for the possibility of the kube ca rotating, since the entrypoint generates a kubeconfig only once -- the kube ca could be rotated and if you wait long enough, could cause a serious cluster failure upon rotation.

How reproducible: (when kube ca rotates)


Additional info: 

* The regenerated (and generated) kubeconfig should be an atomic swap of the file.
* A must-gather improvement could be nice to look at the contents of the multus.d directory (note: this should omit the actual secret)

Comment 1 Douglas Smith 2021-10-13 13:54:28 UTC

Have a work-around in place. Will work in an ideal fashion when upgrade to a thick plugin methodology.

Note You need to log in before you can comment on or make changes to this bug.