Bug 1977383 - [release-4.7][service-ca] In k8s 1.21 bump BoundServiceAccountTokenVolume is disabled by default
Summary: [release-4.7][service-ca] In k8s 1.21 bump BoundServiceAccountTokenVolume is ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: service-ca
Version: 4.7
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.7.z
Assignee: Maru Newby
QA Contact: liyao
URL:
Whiteboard:
Depends On: 1946479
Blocks: 1977179 1977756
TreeView+ depends on / blocked
 
Reported: 2021-06-29 15:06 UTC by Maru Newby
Modified: 2021-07-26 17:35 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1946479
Environment:
Last Closed: 2021-07-26 17:35:21 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kubernetes pull 834 0 None closed Bug 1977383: [release-4.7] Ensure service ca configmap is created in all namespaces 2021-07-07 17:28:22 UTC
Github openshift kubernetes pull 839 0 None closed Bug 1977383: Update resource quota test for compatibility with service ca configmap publishing 2021-07-02 13:06:54 UTC
Github openshift kubernetes pull 843 0 None closed Bug 1977383: [release-4.7] Fix watch conformance test 2021-07-02 13:06:56 UTC
Github openshift origin pull 26283 0 None closed Bug 1977383: [release-4.7] Skip cluster quota test to enable service ca publisher to merge to o/k 2021-06-30 04:50:43 UTC
Github openshift origin pull 26303 0 None closed Bug 1977383: [release-4.7] Update resource quota test for compatibility with service ca configmap publishing 2021-07-04 19:02:36 UTC
Red Hat Product Errata RHBA-2021:2762 0 None None None 2021-07-26 17:35:45 UTC

Comment 1 Maru Newby 2021-06-29 15:09:35 UTC
This bug will track the addition of the service ca configmap publisher to 4.7. The intention is that 4.7 clusters be upgraded to a release that includes the publisher so that subsequent upgrades to 4.8 will be assured of having all namespaces containing a service ca configmap. This will minimize disruption when kube-apiserver is updated to 4.8 and all new pods are supplied tokens via BoundServiceAccountProjectedVolume which will expect the service ca configmap to already exist.

Comment 3 Scott Dodson 2021-07-07 17:28:08 UTC
Moving this modified ahead of the followup test changes. I'll detach those from the bug and we'll merge them as a test only change without a bug.

Comment 6 liyao 2021-07-08 09:08:50 UTC
Tested in cluster 4.7.0-0.nightly-2021-07-07-214918
1. check configmap/openshift-service-ca.crt in every namespace, the test result is it's existed for each namespace 
$ oc get configmap/openshift-service-ca.crt -n each_namespace
NAME                       DATA   AGE
openshift-service-ca.crt   1      8m

2. check configmap/openshift-service-ca.crt is presented for new project
$ oc new-project mytest
$ oc get cm  | grep openshift-service-ca.crt
openshift-service-ca.crt   1      57s

3. check pod creation during the upgrade process to 4.8.0-0.nightly-2021-07-04-112043
$ oc adm upgrade --to-image=registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2021-07-04-112043 --force=true --allow-explicit-upgrade=true

create pod 22 minutes later after upgrade start, test result shows pod is Running status and configMap "openshift-service-ca.crt" is presented
$ oc get pod postgresql-1-9jpqm -o json | jq .spec.volumes
[
  {
    "emptyDir": {},
    "name": "data"
  },
  {
    "name": "kube-api-access-grcr7",
    "projected": {
      "defaultMode": 420,
      "sources": [
        {
          "serviceAccountToken": {
            "expirationSeconds": 3607,
            "path": "token"
          }
        },
        {
          "configMap": {
            "items": [
              {
                "key": "ca.crt",
                "path": "ca.crt"
              }
            ],
            "name": "kube-root-ca.crt"
          }
        },
        {
          "downwardAPI": {
            "items": [
              {
                "fieldRef": {
                  "apiVersion": "v1",
                  "fieldPath": "metadata.namespace"
                },
                "path": "namespace"
              }
            ]
          }
        },
        {
          "configMap": {
            "items": [
              {
                "key": "service-ca.crt",
                "path": "service-ca.crt"
              }
            ],
            "name": "openshift-service-ca.crt"
          }
        }
      ]
    }
  }
]

Comment 11 errata-xmlrpc 2021-07-26 17:35:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.21 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2762


Note You need to log in before you can comment on or make changes to this bug.