Bug 2086198 - Cluster CAPI Operator creates unnecessary defaulting webhooks
Summary: Cluster CAPI Operator creates unnecessary defaulting webhooks
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.11
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.11.0
Assignee: Mike Fedosin
QA Contact: Milind Yadav
Depends On:
TreeView+ depends on / blocked
Reported: 2022-05-14 16:17 UTC by Mike Fedosin
Modified: 2023-09-15 01:54 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-08-10 11:12:00 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-capi-operator pull 51 0 None open Bug 2086198: [OCPCLOUD-1506] Disable defaulting webhook for cluster objects 2022-05-14 16:19:03 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 11:12:11 UTC

Description Mike Fedosin 2022-05-14 16:17:52 UTC
Description of problem:

Cluster CAPI Operator creates unnecessary defaulting webhooks based on the data from upstream cluster API providers. These webhooks are not used in OpenShift and they cause machine creation to fail.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run ./hack/assets.sh
2. Check generated files in "assets" folder.
3. Ensure that MutatingWebhookConfiguration manifests do not have default webhooks for "cluster" objects (for instance, default.cluster.cluster.x-k8s.io).

Actual results:
Unnecessary webhooks are there.

Expected results:
There are no "cluster" related webhooks.

Additional info:

Comment 3 Milind Yadav 2022-05-19 08:04:44 UTC
Validated looks good to me , hence moving to VERIFIED

Latest nightly containing the fix (7 webhooks) - 4.11.0-0.nightly-2022-05-18-171831
[miyadav@miyadav aws]$ oc get mutatingwebhookconfigurations --kubeconfig kc -n openshift-cluster-api
NAME                                  WEBHOOKS   AGE
capa-mutating-webhook-configuration   7          108m
capi-mutating-webhook-configuration   5          109m
machine-api                           2          163m
pod-identity-webhook                  1          159m

Old nightly without fix (12 webhooks ) 4.11.0-0.nightly-2022-05-11-054135
[miyadav@miyadav aws]$ oc edit featuregate cluster --kubeconfig kc2 
featuregate.config.openshift.io/cluster edited
[miyadav@miyadav aws]$ oc get mutatingwebhookconfigurations --kubeconfig kc2 -n openshift-cluster-api
NAME                                  WEBHOOKS   AGE
capa-mutating-webhook-configuration   12         7m58s
capi-mutating-webhook-configuration   8          8m31s
machine-api                           2          79m
pod-identity-webhook                  1          75m

Comment 4 Milind Yadav 2022-05-19 08:14:23 UTC
Sorry moving back to ON-QA , wanted to get results reviewed , do you think any extra webhooks are still present .

Comment 5 Mike Fedosin 2022-05-19 11:55:59 UTC
@ademicev confirmed that all unnecessary webhooks are gone. We keep only mandatory ones now.

Comment 7 Milind Yadav 2022-05-24 05:16:06 UTC
Did a validation again on the latest build , with   featureSet: TechPreviewNoUpgrade

[miyadav@miyadav ~]$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2022-05-20-213928   True        False         51m     Cluster version is 4.11.0-0.nightly-2022-05-20-213928
[miyadav@miyadav ~]$ oc project openshift-cluster-api
Now using project "openshift-cluster-api" on server "https://api.miyadav-2405.qe.devcluster.openshift.com:6443".
[miyadav@miyadav ~]$ oc get pods 
NAME                                                READY   STATUS    RESTARTS   AGE
capi-operator-controller-manager-5d59ddcbff-6mqjr   2/2     Running   0          49s
cluster-capi-operator-6984b66c5-n4p7t               1/1     Running   0          49s
[miyadav@miyadav ~]$ oc get mutatingwebhookconfigurations  -n openshift-cluster-api
NAME                   WEBHOOKS   AGE
machine-api            2          68m
pod-identity-webhook   1          62m
[miyadav@miyadav ~]$ oc get mutatingwebhookconfigurations  -n openshift-cluster-api
NAME                   WEBHOOKS   AGE
machine-api            2          68m
pod-identity-webhook   1          63m
[miyadav@miyadav ~]$ 

Here I do not see any mutating webhooks related to capa . Please review.

Comment 9 Milind Yadav 2022-06-24 10:53:49 UTC
As Mike suggested on slack , good to move to VERIFIED . Please feel free to add more info , in case you want to document for later use.

Comment 10 Mike Fedosin 2022-06-24 17:05:23 UTC
Yes, the issue is fixed now - we don't create unnecessary defaulting webhooks anymore.

Comment 11 errata-xmlrpc 2022-08-10 11:12:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 12 Red Hat Bugzilla 2023-09-15 01:54:50 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days

Note You need to log in before you can comment on or make changes to this bug.