Bug 1977129 - openshift-installer: remove runlevel from openshift-kubevirt-infra namespace
Summary: openshift-installer: remove runlevel from openshift-kubevirt-infra namespace
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.9
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.9.0
Assignee: Aditya Narayanaswamy
QA Contact: Jianli Wei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-29 02:51 UTC by Mark Cooper
Modified: 2021-10-18 17:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:36:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 5106 0 None open Bug 1977129: Remove runlevel label from openshift-kubevirt-infra 2021-07-26 21:33:59 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:37:20 UTC

Description Mark Cooper 2021-06-29 02:51:03 UTC
Version: release-4.9

$ openshift-install version
bin/openshift-install unreleased-master-4672-g2a0d2f4c36f5cebc2d516f6d834c294d6a593a7f-dirty
built from commit 2a0d2f4c36f5cebc2d516f6d834c294d6a593a7f
release image registry.ci.openshift.org/origin/release:4.8

Platform: kubevirt IPI

What happened?

`openshift-installer` sets the label `run-level: "1"` on the namespace `openshift-kubevirt-infra` [1]. 

[1] https://github.com/openshift/installer/blob/7c4226b0867a62d98956865f287959f91bb92707/data/data/manifests/bootkube/openshift-kubevirt-infra-namespace.yaml#L8

What did you expect to happen?

This label is no longer required. Using the runlevel means that any pod specified in the ns will bypass SCC controls. It may have been required <4.6 due to the significant start times of components wait for the openshift-apiserver. But since 4.6 this delay has been all but removed.

Also supporting this is the other relevant on-prem component namespaces: 
 - https://github.com/openshift/machine-config-operator/pull/2627
 - https://bugzilla.redhat.com/show_bug.cgi?id=1805488

Comment 3 Jianli Wei 2021-08-04 06:23:07 UTC
>Recreated the issue using 4.9.0-0.nightly-2021-07-30-014522 and then verified the issue using 4.9.0-0.nightly-2021-08-04-025616. Mark as verified, thanks! 

[fedora@preserve-jiwei ~]$ mkdir work
[fedora@preserve-jiwei ~]$ curl https://openshift-release-artifacts.apps.ci.l2s4.p1.openshiftapps.com/4.9.0-0.nightly-2021-07-30-014522/openshift-install-linux-4.9.0-0.night
ly-2021-07-30-014522.tar.gz -o openshift-install-linux-4.9.0-0.nightly-2021-07-30-014522.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 99.4M  100 99.4M    0     0   152M      0 --:--:-- --:--:-- --:--:--  152M
[fedora@preserve-jiwei ~]$ tar zxvf openshift-install-linux-4.9.0-0.nightly-2021-07-30-014522.tar.gz
README.md
openshift-install
[fedora@preserve-jiwei ~]$ openshift-install version
>openshift-install 4.9.0-0.nightly-2021-07-30-014522
built from commit 8d54dd48ffefd14a77b2233d265be0ab1aa037e9
release image registry.ci.openshift.org/ocp/release@sha256:7588bf948aebfb1baa77a4a0a51041dd2c307b89567fc8ce71367a74143d9d02
[fedora@preserve-jiwei ~]$ openshift-install create install-config --dir=work
? SSH Public Key /home/fedora/.ssh/id_rsa.pub
? Platform gcp
INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json"
? Project ID OpenShift QE (openshift-qe)
? Region us-west1
? Base Domain qe.gcp.devcluster.openshift.com
? Cluster Name jiwei-cluster13
? Pull Secret [? for help] ***************************************************************************************************************************************************INFO Install-Config created in: work              *******************************************************************
[fedora@preserve-jiwei ~]$ openshift-install create manifests --dir=work
INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json"
INFO Consuming Install Config from target directory
INFO Manifests created in: work/manifests and work/openshift
[fedora@preserve-jiwei ~]$ ls work/manifests/ -l
total 76
-rw-r-----. 1 fedora fedora  169 Aug  4 06:06 04-openshift-machine-config-operator.yaml
-rw-r-----. 1 fedora fedora  175 Aug  4 06:06 cloud-controller-uid-config.yml
-rw-r-----. 1 fedora fedora  518 Aug  4 06:06 cloud-provider-config.yaml
-rw-r-----. 1 fedora fedora  971 Aug  4 06:06 cluster-config.yaml
-rw-r-----. 1 fedora fedora  259 Aug  4 06:06 cluster-dns-02-config.yml
-rw-r-----. 1 fedora fedora  651 Aug  4 06:06 cluster-infrastructure-02-config.yml
-rw-r-----. 1 fedora fedora  181 Aug  4 06:06 cluster-ingress-02-config.yml
-rw-r-----. 1 fedora fedora 7923 Aug  4 06:06 cluster-network-01-crd.yml
-rw-r-----. 1 fedora fedora  272 Aug  4 06:06 cluster-network-02-config.yml
-rw-r-----. 1 fedora fedora  142 Aug  4 06:06 cluster-proxy-01-config.yaml
-rw-r-----. 1 fedora fedora  171 Aug  4 06:06 cluster-scheduler-02-config.yml
-rw-r-----. 1 fedora fedora  199 Aug  4 06:06 cvo-overrides.yaml
-rw-r-----. 1 fedora fedora  118 Aug  4 06:06 kube-cloud-config.yaml
-rw-r-----. 1 fedora fedora 1304 Aug  4 06:06 kube-system-configmap-root-ca.yaml
-rw-r-----. 1 fedora fedora 4086 Aug  4 06:06 machine-config-server-tls-secret.yaml
-rw-r-----. 1 fedora fedora 4197 Aug  4 06:06 openshift-config-secret-pull-secret.yaml
-rw-r-----. 1 fedora fedora  201 Aug  4 06:06 openshift-kubevirt-infra-namespace.yaml
>[fedora@preserve-jiwei ~]$ cat work/manifests/openshift-kubevirt-infra-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: openshift-kubevirt-infra
  annotations:
    openshift.io/node-selector: ""
  labels:
>    name: openshift-kubevirt-infra
>    openshift.io/run-level: "1"
[fedora@preserve-jiwei ~]$ 
[fedora@preserve-jiwei ~]$ rm -f openshift-install-linux-4.9.0-0.nightly-2021-07-30-014522.tar.gz openshift-install
[fedora@preserve-jiwei ~]$ mkdir work
[fedora@preserve-jiwei ~]$ curl https://openshift-release-artifacts.apps.ci.l2s4.p1.openshiftapps.com/4.9.0-0.nightly-2021-08-04-025616/openshift-install-linux-4.9.0-0.nightly-2021-08-04-025616.tar.gz -o openshift-install-linux-4.9.0-0.nightly-2021-08-04-025616.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 99.4M  100 99.4M    0     0   139M      0 --:--:-- --:--:-- --:--:--  139M
[fedora@preserve-jiwei ~]$ tar zxvf openshift-install-linux-4.9.0-0.nightly-2021-08-04-025616.tar.gz
README.md
openshift-install
[fedora@preserve-jiwei ~]$ openshift-install version
>openshift-install 4.9.0-0.nightly-2021-08-04-025616
built from commit 4f3d8ba657cb9447f065a4e48b078be6376593e1
release image registry.ci.openshift.org/ocp/release@sha256:5583c60aae499629853d0f0a8be86a407cefb9689a6d0621192eebfba02448e6
[fedora@preserve-jiwei ~]$ openshift-install create install-config --dir=work
? SSH Public Key /home/fedora/.ssh/id_rsa.pub
? Platform gcp
INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json" 
? Project ID OpenShift QE (openshift-qe)
? Region us-west1
? Base Domain qe.gcp.devcluster.openshift.com
? Cluster Name jiwei-cluster13
? Pull Secret [? for help] ***************************************************************************************************************************************************INFO Install-Config created in: work              *******************************************************************
[fedora@preserve-jiwei ~]$ openshift-install create manifests --dir=work
INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json" 
INFO Consuming Install Config from target directory 
INFO Manifests created in: work/manifests and work/openshift 
[fedora@preserve-jiwei ~]$ ls work/manifests/ -l
total 76
-rw-r-----. 1 fedora fedora  169 Aug  4 06:17 04-openshift-machine-config-operator.yaml
-rw-r-----. 1 fedora fedora  175 Aug  4 06:17 cloud-controller-uid-config.yml
-rw-r-----. 1 fedora fedora  518 Aug  4 06:17 cloud-provider-config.yaml
-rw-r-----. 1 fedora fedora  971 Aug  4 06:17 cluster-config.yaml
-rw-r-----. 1 fedora fedora  259 Aug  4 06:17 cluster-dns-02-config.yml
-rw-r-----. 1 fedora fedora  651 Aug  4 06:17 cluster-infrastructure-02-config.yml
-rw-r-----. 1 fedora fedora  181 Aug  4 06:17 cluster-ingress-02-config.yml
-rw-r-----. 1 fedora fedora 7923 Aug  4 06:17 cluster-network-01-crd.yml
-rw-r-----. 1 fedora fedora  272 Aug  4 06:17 cluster-network-02-config.yml
-rw-r-----. 1 fedora fedora  142 Aug  4 06:17 cluster-proxy-01-config.yaml
-rw-r-----. 1 fedora fedora  171 Aug  4 06:17 cluster-scheduler-02-config.yml
-rw-r-----. 1 fedora fedora  199 Aug  4 06:17 cvo-overrides.yaml
-rw-r-----. 1 fedora fedora  118 Aug  4 06:17 kube-cloud-config.yaml
-rw-r-----. 1 fedora fedora 1304 Aug  4 06:17 kube-system-configmap-root-ca.yaml
-rw-r-----. 1 fedora fedora 4086 Aug  4 06:17 machine-config-server-tls-secret.yaml
-rw-r-----. 1 fedora fedora 4197 Aug  4 06:17 openshift-config-secret-pull-secret.yaml
-rw-r-----. 1 fedora fedora  169 Aug  4 06:17 openshift-kubevirt-infra-namespace.yaml
>[fedora@preserve-jiwei ~]$ cat work/manifests/openshift-kubevirt-infra-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: openshift-kubevirt-infra
  annotations:
    openshift.io/node-selector: ""
  labels:
>    name: openshift-kubevirt-infra
[fedora@preserve-jiwei ~]$

Comment 6 errata-xmlrpc 2021-10-18 17:36:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.