Bug 1961341 - Remove rbacv1beta1 handling code
Summary: Remove rbacv1beta1 handling code
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cluster Version Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.7.z
Assignee: Vadim Rutkovsky
QA Contact: Yang Yang
URL:
Whiteboard:
Depends On: 1960554
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-17 18:06 UTC by OpenShift BugZilla Robot
Modified: 2021-10-12 19:52 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-12 19:51:42 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift baremetal-operator pull 148 0 None closed [release-4.7] Bug 1961341: config: use rbacv1 instead of rbacv1beta1 2021-07-29 23:40:12 UTC
Github openshift cluster-autoscaler-operator pull 206 0 None open [release-4.7] Bug 1961341: manifests: use v1 for RBAC 2021-06-15 08:34:22 UTC
Github openshift cluster-version-operator pull 652 0 None None None 2021-09-10 08:27:35 UTC
Github openshift machine-config-operator pull 2620 0 None closed [release-4.7] Bug 1961341: rbac: update remaining apis to v1 2021-07-29 23:40:20 UTC
Github operator-framework operator-marketplace pull 409 0 None open Bug 1961341: [release-4.7] Update openshift rolebindings to v1 2021-07-29 23:40:23 UTC
Red Hat Product Errata RHBA-2021:3686 0 None None None 2021-10-12 19:52:10 UTC

Comment 1 Yang Yang 2021-06-16 06:19:18 UTC 
# oc adm release extract --to manifests registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-06-12-151209
Extracted release payload from digest sha256:a8873b0c5c017864effc7323bebdb2d3c7244973a0892362b04e3d8510240e0c created at 2021-06-12T15:17:00Z

# grep -r 'apiVersion: rbac' manifests | grep v1beta1
manifests/0000_50_cluster-autoscaler-operator_03_rbac.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1
manifests/0000_50_cluster-autoscaler-operator_03_rbac.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1
manifests/0000_70_cluster-network-operator_02_rbac.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1
manifests/0000_80_machine-config-operator_03_rbac.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1
manifests/0000_50_operator-marketplace_06_role_binding.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1
manifests/0000_50_operator-marketplace_06_role_binding.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1

In 4.7, not only autoscaler but also network, machine-config and marketplace have rbacv1beta1 defined in manifests.

# oc get clusterrolebinding default-account-cluster-network-operator -n openshift-network-operator -oyaml | grep rbac
apiVersion: rbac.authorization.k8s.io/v1
  - apiVersion: rbac.authorization.k8s.io/v1beta1
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/default-account-cluster-network-operator
  apiGroup: rbac.authorization.k8s.io


# oc get clusterrolebinding default-account-openshift-machine-config-operator -n openshift-machine-config-operator -oyaml| grep rbac
apiVersion: rbac.authorization.k8s.io/v1
  - apiVersion: rbac.authorization.k8s.io/v1beta1
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/default-account-openshift-machine-config-operator
  apiGroup: rbac.authorization.k8s.io


# oc get clusterrolebinding marketplace-operator -n openshift-marketplace -oyaml | grep rbac
apiVersion: rbac.authorization.k8s.io/v1
  - apiVersion: rbac.authorization.k8s.io/v1beta1
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/marketplace-operator
  apiGroup: rbac.authorization.k8s.io

Looks like those in-cluster clusterrolebindings use the rbacv1.

Vadim, could you please help confirm if only autoscaler needs to be fixed?
Comment 2 Vadim Rutkovsky 2021-06-16 07:51:34 UTC 
You are correct, more PRs are required to make it work properly:

* cluster-autoscaler - https://github.com/openshift/cluster-autoscaler-operator/pull/206
* network-operator - https://github.com/openshift/cluster-network-operator/pull/1134
* machine-config-operator - https://github.com/openshift/machine-config-operator/pull/2620
* marketplace-operator - https://github.com/operator-framework/operator-marketplace/pull/409
Comment 3 Yang Yang 2021-06-16 08:19:05 UTC 
Vadim, is PR in CVO required as well? We have CVO PR[1] in 4.8.

[1] CVO - https://github.com/openshift/cluster-version-operator/pull/565
Comment 4 Yang Yang 2021-06-29 09:38:35 UTC 
Vadim, could you please take a look at comment#3? Thanks
Comment 5 Vadim Rutkovsky 2021-06-29 15:55:50 UTC 
(In reply to Yang Yang from comment #4)
> Vadim, could you please take a look at comment#3? Thanks

Correct, after PRs from comment#2 are merged we can proceed with cherry-picking https://github.com/openshift/cluster-version-operator/pull/565 on release-4.8
Comment 15 Yang Yang 2021-09-10 02:58:10 UTC 
Vadim,

> Correct, after PRs from comment#2 are merged we can proceed with cherry-picking  https://github.com/openshift/cluster-version-operator/pull/565 on release-4.8

The PRs from comment#2 get merged. Would you like to cherry-pick the CVO PR to proceed at this moment? Thanks!
Comment 16 Vadim Rutkovsky 2021-09-10 08:27:22 UTC 
Done, created https://github.com/openshift/cluster-version-operator/pull/652
Comment 19 Yang Yang 2021-09-23 05:45:11 UTC 
Verifying with 4.7.0-0.nightly-2021-09-22-201816

# oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-09-22-201816   True        False         137m    Cluster version is 4.7.0-0.nightly-2021-09-22-201816

# oc adm release extract --to 4.7
Extracted release payload created at 2021-09-22T20:21:28Z

# grep -r 'apiVersion: rbac' 4.7 | grep v1beta1

null

# oc get po -n openshift-cluster-version
NAME                                        READY   STATUS    RESTARTS   AGE
cluster-version-operator-56f859b98d-shtps   1/1     Running   0          166m

# oc logs pod/cluster-version-operator-56f859b98d-shtps -n openshift-cluster-version > cvo.log

# grep 'rbac.authorization.k8s.io/v1beta1' cvo.log
I0923 03:16:51.519313       1 request.go:591] Throttling request took 1.472133091s, request: GET:https://api-int.yangyang0923.qe.gcp.devcluster.openshift.com:6443/apis/rbac.authorization.k8s.io/v1beta1?timeout=32s

No resources are using rbacv1beta1. Moving it to verified state.
Comment 22 errata-xmlrpc 2021-10-12 19:51:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.33 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3686
Note You need to log in before you can comment on or make changes to this bug.