Description of problem: The godoc for the dnses.operator.openshift.io resource's spec.nodePlacement.tolerations field incorrectly states that the default value is an empty list of tolerations. In fact, by default, the operator sets a toleration for the "node-role.kubernetes.io/master" taint, and the daemon controller adds some tolerations as well. This default value is desirable so that pods on master nodes have local DNS pods, and also so that the cluster has DNS pods even if worker nodes are all unavailable at once. Version-Release number of selected component (if applicable): 4.8.0-0.ci-2021-04-20-220659 How reproducible: 100% Steps to Reproduce: 1. oc explain dnses.spec.nodePlacement.tolerations --api-version=operator.openshift.io/v1 Actual results: DESCRIPTION: tolerations is a list of tolerations applied to DNS pods. The default is an empty list. This default is subject to change. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>. Expected results: The documentation should give the actual default that the operator sets, namely a toleration for the existence of the "node-role.kubernetes.io/master" taint. In addition, the documentation should mention that the daemon controller injects some default tolerations. Finally, the documentation should include a warning against changing this default.
Still need to vendor the change in cluster-dns-operator.
Verified in 4.8.0-0.nightly-2021-06-10-210437 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-06-10-210437 True False 91m Cluster version is 4.8.0-0.nightly-2021-06-10-210437 $ oc explain dnses.spec.nodePlacement.tolerations --api-version=operator.openshift.io/v1 KIND: DNS VERSION: operator.openshift.io/v1 RESOURCE: tolerations <[]Object> DESCRIPTION: tolerations is a list of tolerations applied to DNS pods. If empty, the operator sets a toleration for the "node-role.kubernetes.io/master" taint. This default is subject to change. Specifying tolerations without including a toleration for the "node-role.kubernetes.io/master" taint may be risky as it could lead to an outage if all worker nodes become unavailable. Note that the daemon controller adds some tolerations as well. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438