Bug 1948551 - apiserver-watcher should run in a privileged namespace
Summary: apiserver-watcher should run in a privileged namespace
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Machine Config Operator
Version: 4.9
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.11.z
Assignee: Luis Sanchez
QA Contact: Deepak Punia
URL:
Whiteboard:
Depends On: 2078945 2079097
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-12 12:25 UTC by Stefan Schimanski
Modified: 2022-08-29 06:47 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-29 06:46:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-config-operator pull 2674 0 None closed Bug 1948551: apiserver-watcher: use a lockfile. 2022-06-24 09:34:13 UTC
Github openshift machine-config-operator pull 3106 0 None Merged Bug 2078945: Ensure only one apiserver-watcher process is active on a node. 2022-05-24 17:00:30 UTC
Github openshift machine-config-operator pull 3107 0 None Merged Bug 1948551: apiserver-watcher should run in a privileged namespace 2022-05-27 11:21:40 UTC
Red Hat Product Errata RHBA-2022:6143 0 None None None 2022-08-29 06:47:13 UTC

Description Stefan Schimanski 2021-04-12 12:25:42 UTC 
Description of problem:

Aapiserver-watcher is run in kube-system. This makes it hard to know to which component it belongs:

"kube-system/apiserver-watcher-ci-ln-zf7lprk-f76d1-k9v4x-master-0"
"kube-system/apiserver-watcher-ci-ln-zf7lprk-f76d1-k9v4x-master-1"
"kube-system/apiserver-watcher-ci-ln-zf7lprk-f76d1-k9v4x-master-2"

Version-Release number of selected component (if applicable):

4.8

How reproducible:

always

Steps to Reproduce:

install a cluster and checks pods in kube-system namespace

Actual results:


Expected results:

pod in openshift-machine-config-operator
Comment 1 Yu Qi Zhang 2021-04-13 03:13:52 UTC 
Reassigning to Casey to see if that's intended, as he implemented the original watcher
Comment 2 Casey Callendrello 2021-04-20 13:48:59 UTC 
The problem is how to roll the change out: MCD can't delete files.

So, we need to drop a dummy / noop file in the existing static pod so that it "goes away". Then we can stop rendering the file after a few releases.
Comment 3 Casey Callendrello 2021-07-12 11:33:16 UTC 
My initial analysis was incorrect; but we do need to stage this rollout. Specifically, 4.9 needs to support a lockfile, because static pod upgrades are not "atomic".

So, filed https://github.com/openshift/machine-config-operator/pull/2674 to add locking to 4.9. Then, in 4.10, we can finally re-namespace this pod.
Comment 9 Sinny Kumari 2022-06-24 09:39:10 UTC 
All the associated PRs has been merged. Should this bug be moved to ON_QA?
Comment 13 errata-xmlrpc 2022-08-29 06:46:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.11.2 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6143
Note You need to log in before you can comment on or make changes to this bug.