1961341 – Remove rbacv1beta1 handling code

Bug 1961341 - Remove rbacv1beta1 handling code

Summary: Remove rbacv1beta1 handling code

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Cluster Version Operator
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.7.z
Assignee:	Vadim Rutkovsky
QA Contact:	Yang Yang
Docs Contact:
URL:
Whiteboard:
Depends On:	1960554
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-17 18:06 UTC by OpenShift BugZilla Robot
Modified:	2021-10-12 19:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-12 19:51:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift baremetal-operator pull 148	None	closed	[release-4.7] Bug 1961341: config: use rbacv1 instead of rbacv1beta1	2021-07-29 23:40:12 UTC
Github	openshift cluster-autoscaler-operator pull 206	None	open	[release-4.7] Bug 1961341: manifests: use v1 for RBAC	2021-06-15 08:34:22 UTC
Github	openshift cluster-version-operator pull 652	None	None	None	2021-09-10 08:27:35 UTC
Github	openshift machine-config-operator pull 2620	None	closed	[release-4.7] Bug 1961341: rbac: update remaining apis to v1	2021-07-29 23:40:20 UTC
Github	operator-framework operator-marketplace pull 409	None	open	Bug 1961341: [release-4.7] Update openshift rolebindings to v1	2021-07-29 23:40:23 UTC
Red Hat Product Errata	RHBA-2021:3686	None	None	None	2021-10-12 19:52:10 UTC

Comment 1 Yang Yang 2021-06-16 06:19:18 UTC

# oc adm release extract --to manifests registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-06-12-151209
Extracted release payload from digest sha256:a8873b0c5c017864effc7323bebdb2d3c7244973a0892362b04e3d8510240e0c created at 2021-06-12T15:17:00Z

# grep -r 'apiVersion: rbac' manifests | grep v1beta1
manifests/0000_50_cluster-autoscaler-operator_03_rbac.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1
manifests/0000_50_cluster-autoscaler-operator_03_rbac.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1
manifests/0000_70_cluster-network-operator_02_rbac.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1
manifests/0000_80_machine-config-operator_03_rbac.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1
manifests/0000_50_operator-marketplace_06_role_binding.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1
manifests/0000_50_operator-marketplace_06_role_binding.yaml:apiVersion: rbac.authorization.k8s.io/v1beta1

In 4.7, not only autoscaler but also network, machine-config and marketplace have rbacv1beta1 defined in manifests.

# oc get clusterrolebinding default-account-cluster-network-operator -n openshift-network-operator -oyaml | grep rbac
apiVersion: rbac.authorization.k8s.io/v1
  - apiVersion: rbac.authorization.k8s.io/v1beta1
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/default-account-cluster-network-operator
  apiGroup: rbac.authorization.k8s.io


# oc get clusterrolebinding default-account-openshift-machine-config-operator -n openshift-machine-config-operator -oyaml| grep rbac
apiVersion: rbac.authorization.k8s.io/v1
  - apiVersion: rbac.authorization.k8s.io/v1beta1
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/default-account-openshift-machine-config-operator
  apiGroup: rbac.authorization.k8s.io


# oc get clusterrolebinding marketplace-operator -n openshift-marketplace -oyaml | grep rbac
apiVersion: rbac.authorization.k8s.io/v1
  - apiVersion: rbac.authorization.k8s.io/v1beta1
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/marketplace-operator
  apiGroup: rbac.authorization.k8s.io

Looks like those in-cluster clusterrolebindings use the rbacv1.

Vadim, could you please help confirm if only autoscaler needs to be fixed?

Comment 2 Vadim Rutkovsky 2021-06-16 07:51:34 UTC

You are correct, more PRs are required to make it work properly:

* cluster-autoscaler - https://github.com/openshift/cluster-autoscaler-operator/pull/206
* network-operator - https://github.com/openshift/cluster-network-operator/pull/1134
* machine-config-operator - https://github.com/openshift/machine-config-operator/pull/2620
* marketplace-operator - https://github.com/operator-framework/operator-marketplace/pull/409

Comment 3 Yang Yang 2021-06-16 08:19:05 UTC

Vadim, is PR in CVO required as well? We have CVO PR[1] in 4.8.

[1] CVO - https://github.com/openshift/cluster-version-operator/pull/565

Comment 4 Yang Yang 2021-06-29 09:38:35 UTC

Vadim, could you please take a look at comment#3? Thanks

Comment 5 Vadim Rutkovsky 2021-06-29 15:55:50 UTC

(In reply to Yang Yang from comment #4)
> Vadim, could you please take a look at comment#3? Thanks

Correct, after PRs from comment#2 are merged we can proceed with cherry-picking https://github.com/openshift/cluster-version-operator/pull/565 on release-4.8

Comment 15 Yang Yang 2021-09-10 02:58:10 UTC

Vadim,

> Correct, after PRs from comment#2 are merged we can proceed with cherry-picking  https://github.com/openshift/cluster-version-operator/pull/565 on release-4.8

The PRs from comment#2 get merged. Would you like to cherry-pick the CVO PR to proceed at this moment? Thanks!

Comment 16 Vadim Rutkovsky 2021-09-10 08:27:22 UTC

Done, created https://github.com/openshift/cluster-version-operator/pull/652

Comment 19 Yang Yang 2021-09-23 05:45:11 UTC

Verifying with 4.7.0-0.nightly-2021-09-22-201816

# oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-09-22-201816   True        False         137m    Cluster version is 4.7.0-0.nightly-2021-09-22-201816

# oc adm release extract --to 4.7
Extracted release payload created at 2021-09-22T20:21:28Z

# grep -r 'apiVersion: rbac' 4.7 | grep v1beta1

null

# oc get po -n openshift-cluster-version
NAME                                        READY   STATUS    RESTARTS   AGE
cluster-version-operator-56f859b98d-shtps   1/1     Running   0          166m

# oc logs pod/cluster-version-operator-56f859b98d-shtps -n openshift-cluster-version > cvo.log

# grep 'rbac.authorization.k8s.io/v1beta1' cvo.log
I0923 03:16:51.519313       1 request.go:591] Throttling request took 1.472133091s, request: GET:https://api-int.yangyang0923.qe.gcp.devcluster.openshift.com:6443/apis/rbac.authorization.k8s.io/v1beta1?timeout=32s

No resources are using rbacv1beta1. Moving it to verified state.

Comment 22 errata-xmlrpc 2021-10-12 19:51:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.33 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3686

Note You need to log in before you can comment on or make changes to this bug.