Description of problem: When the DNS operator creates or updates the DNS daemonset and service, the API sets default values for the service's ipFamilies and ipFamilyPolicy fields and for the daemonset's maxSurge field, which the operator detects as external updates and attempts to revert. The operator should not update the daemonset or service in response to API defaulting. Version-Release number of selected component (if applicable): Kubernetes 1.21 and OpenShift 4.8 add the maxSurge field for daemonsets and enable the "IPv6Dualstack" feature gate, which causes the API to set default values for the ipFamilies and ipFamilyPolicy fields. How reproducible: 100%. Steps to Reproduce: 1. Launch a new cluster. 2. Check the DNS operator's logs: oc -n openshift-dns-operator logs deploy/dns-operator -c dns-operator Actual results: The DNS operator's logs have "updated dns daemonset" and "updated dns service" repeated over and over. For example, in this CI run, I see "updated dns daemonset" and "updated dns service" each 118 times: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_cluster-dns-operator/262/pull-ci-openshift-cluster-dns-operator-master-e2e-aws-operator/1380942156755111936/artifacts/e2e-aws-operator/gather-extra/artifacts/pods/openshift-dns-operator_dns-operator-6c5bdf6f68-gwxm7_dns-operator.log Expected results: The DNS operator should ignore updates by the API that only set default values, and the operator should not log "updated dns daemonset" or "updated dns service" unless the objects are updated outside of API defaulting. For example, in this CI run from the release-4.7 branch, I see "updated dns daemonset" 1 time and "updated dns service" 0 times: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_cluster-dns-operator/250/pull-ci-openshift-cluster-dns-operator-release-4.7-e2e-aws-operator/1380592335993180160/artifacts/e2e-aws-operator/gather-extra/artifacts/pods/openshift-dns-operator_dns-operator-559658f664-bzkds_dns-operator.log
Verified in "4.8.0-0.nightly-2021-04-30-201824". With this payload, it is noted that there are no more unwanted updated logs for the DNS daemonset or the service: ------ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-04-30-201824 True False 34m Cluster version is 4.8.0-0.nightly-2021-04-30-201824 oc -n openshift-dns-operator logs deployment.apps/dns-operator -c dns-operator | grep -i "updated dns daemonset" | wc -l 0 oc -n openshift-dns-operator logs deployment.apps/dns-operator -c dns-operator | grep -i "updated dns service" | wc -l 0 -------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438