The operator-lifecycle-manager repository uses the delegated authentication which has been identified to contain a bug that increases the number of watch requests against the Kube API server. We provided a temporary branch that contains a fix and strongly recommend switching the repository to that branch. Please change k8s.io/apiserver to temporary-watch-reduction-patch-1.21 to pick up https://github.com/kubernetes/kubernetes/pull/101102 Feel free to remove it once the upstream PR merges and a new Z release is cut. The improvement is significant. For example, after the fix, we reduced the number of watch requests from 1248 to 26 for the kube-apiserver-operator. Please have a look at https://github.com/openshift/cluster-kube-apiserver-operator/pull/1110 for instructions on how to use the branch with the fix. Note the issue was introduced in 1.20 We already provided a fix https://github.com/kubernetes/kubernetes/pull/101103 to that version. The next 1.20.z release is planned after the release of 4.8. Thus I would encourage you to switch to 1.21 and temporary-watch-reduction-patch-1.21 branch
I don't want to set it to blocker+, please make sure it lands in 4.8
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438