1977383 – [release-4.7][service-ca] In k8s 1.21 bump BoundServiceAccountTokenVolume is disabled by default

Bug 1977383 - [release-4.7][service-ca] In k8s 1.21 bump BoundServiceAccountTokenVolume is disabled by default

Summary: [release-4.7][service-ca] In k8s 1.21 bump BoundServiceAccountTokenVolume is ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	service-ca
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.7.z
Assignee:	Maru Newby
QA Contact:	liyao
Docs Contact:
URL:
Whiteboard:
Depends On:	1946479
Blocks:	1977179 1977756
TreeView+	depends on / blocked

Reported:	2021-06-29 15:06 UTC by Maru Newby
Modified:	2021-07-26 17:35 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1946479
Environment:
Last Closed:	2021-07-26 17:35:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift kubernetes pull 834	None	closed	Bug 1977383: [release-4.7] Ensure service ca configmap is created in all namespaces	2021-07-07 17:28:22 UTC
Github	openshift kubernetes pull 839	None	closed	Bug 1977383: Update resource quota test for compatibility with service ca configmap publishing	2021-07-02 13:06:54 UTC
Github	openshift kubernetes pull 843	None	closed	Bug 1977383: [release-4.7] Fix watch conformance test	2021-07-02 13:06:56 UTC
Github	openshift origin pull 26283	None	closed	Bug 1977383: [release-4.7] Skip cluster quota test to enable service ca publisher to merge to o/k	2021-06-30 04:50:43 UTC
Github	openshift origin pull 26303	None	closed	Bug 1977383: [release-4.7] Update resource quota test for compatibility with service ca configmap publishing	2021-07-04 19:02:36 UTC
Red Hat Product Errata	RHBA-2021:2762	None	None	None	2021-07-26 17:35:45 UTC

Comment 1 Maru Newby 2021-06-29 15:09:35 UTC

This bug will track the addition of the service ca configmap publisher to 4.7. The intention is that 4.7 clusters be upgraded to a release that includes the publisher so that subsequent upgrades to 4.8 will be assured of having all namespaces containing a service ca configmap. This will minimize disruption when kube-apiserver is updated to 4.8 and all new pods are supplied tokens via BoundServiceAccountProjectedVolume which will expect the service ca configmap to already exist.

Comment 3 Scott Dodson 2021-07-07 17:28:08 UTC

Moving this modified ahead of the followup test changes. I'll detach those from the bug and we'll merge them as a test only change without a bug.

Comment 6 liyao 2021-07-08 09:08:50 UTC

Tested in cluster 4.7.0-0.nightly-2021-07-07-214918
1. check configmap/openshift-service-ca.crt in every namespace, the test result is it's existed for each namespace 
$ oc get configmap/openshift-service-ca.crt -n each_namespace
NAME                       DATA   AGE
openshift-service-ca.crt   1      8m

2. check configmap/openshift-service-ca.crt is presented for new project
$ oc new-project mytest
$ oc get cm  | grep openshift-service-ca.crt
openshift-service-ca.crt   1      57s

3. check pod creation during the upgrade process to 4.8.0-0.nightly-2021-07-04-112043
$ oc adm upgrade --to-image=registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2021-07-04-112043 --force=true --allow-explicit-upgrade=true

create pod 22 minutes later after upgrade start, test result shows pod is Running status and configMap "openshift-service-ca.crt" is presented
$ oc get pod postgresql-1-9jpqm -o json | jq .spec.volumes
[
  {
    "emptyDir": {},
    "name": "data"
  },
  {
    "name": "kube-api-access-grcr7",
    "projected": {
      "defaultMode": 420,
      "sources": [
        {
          "serviceAccountToken": {
            "expirationSeconds": 3607,
            "path": "token"
          }
        },
        {
          "configMap": {
            "items": [
              {
                "key": "ca.crt",
                "path": "ca.crt"
              }
            ],
            "name": "kube-root-ca.crt"
          }
        },
        {
          "downwardAPI": {
            "items": [
              {
                "fieldRef": {
                  "apiVersion": "v1",
                  "fieldPath": "metadata.namespace"
                },
                "path": "namespace"
              }
            ]
          }
        },
        {
          "configMap": {
            "items": [
              {
                "key": "service-ca.crt",
                "path": "service-ca.crt"
              }
            ],
            "name": "openshift-service-ca.crt"
          }
        }
      ]
    }
  }
]

Comment 11 errata-xmlrpc 2021-07-26 17:35:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.21 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2762

Note You need to log in before you can comment on or make changes to this bug.