Description of problem: Cluster CAPI Operator creates unnecessary defaulting webhooks based on the data from upstream cluster API providers. These webhooks are not used in OpenShift and they cause machine creation to fail. Version-Release number of selected component (if applicable): 4.11 How reproducible: Always Steps to Reproduce: 1. Run ./hack/assets.sh 2. Check generated files in "assets" folder. 3. Ensure that MutatingWebhookConfiguration manifests do not have default webhooks for "cluster" objects (for instance, default.cluster.cluster.x-k8s.io). Actual results: Unnecessary webhooks are there. Expected results: There are no "cluster" related webhooks. Additional info: ---
Validated looks good to me , hence moving to VERIFIED Latest nightly containing the fix (7 webhooks) - 4.11.0-0.nightly-2022-05-18-171831 [miyadav@miyadav aws]$ oc get mutatingwebhookconfigurations --kubeconfig kc -n openshift-cluster-api NAME WEBHOOKS AGE capa-mutating-webhook-configuration 7 108m capi-mutating-webhook-configuration 5 109m machine-api 2 163m pod-identity-webhook 1 159m Old nightly without fix (12 webhooks ) 4.11.0-0.nightly-2022-05-11-054135 [miyadav@miyadav aws]$ oc edit featuregate cluster --kubeconfig kc2 featuregate.config.openshift.io/cluster edited [miyadav@miyadav aws]$ oc get mutatingwebhookconfigurations --kubeconfig kc2 -n openshift-cluster-api NAME WEBHOOKS AGE capa-mutating-webhook-configuration 12 7m58s capi-mutating-webhook-configuration 8 8m31s machine-api 2 79m pod-identity-webhook 1 75m
Sorry moving back to ON-QA , wanted to get results reviewed , do you think any extra webhooks are still present .
@ademicev confirmed that all unnecessary webhooks are gone. We keep only mandatory ones now.
Did a validation again on the latest build , with featureSet: TechPreviewNoUpgrade [miyadav@miyadav ~]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2022-05-20-213928 True False 51m Cluster version is 4.11.0-0.nightly-2022-05-20-213928 [miyadav@miyadav ~]$ oc project openshift-cluster-api Now using project "openshift-cluster-api" on server "https://api.miyadav-2405.qe.devcluster.openshift.com:6443". [miyadav@miyadav ~]$ oc get pods NAME READY STATUS RESTARTS AGE capi-operator-controller-manager-5d59ddcbff-6mqjr 2/2 Running 0 49s cluster-capi-operator-6984b66c5-n4p7t 1/1 Running 0 49s [miyadav@miyadav ~]$ oc get mutatingwebhookconfigurations -n openshift-cluster-api NAME WEBHOOKS AGE machine-api 2 68m pod-identity-webhook 1 62m [miyadav@miyadav ~]$ oc get mutatingwebhookconfigurations -n openshift-cluster-api NAME WEBHOOKS AGE machine-api 2 68m pod-identity-webhook 1 63m [miyadav@miyadav ~]$ Here I do not see any mutating webhooks related to capa . Please review.
As Mike suggested on slack , good to move to VERIFIED . Please feel free to add more info , in case you want to document for later use.
Yes, the issue is fixed now - we don't create unnecessary defaulting webhooks anymore.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days