Description of problem (please be detailed as possible and provide log snippets): liveness container in the cephfs provisioner and daemonset pods exposes HTTP ports to serve the metrics endpoints. We have two problems with it 1. The Metrics exposed on the HTTP port without TLS. This will be problematic for the customers as its a security problem 2. No one is consuming these metrics, and it was there only for the debugging purpose, and it was not helpful for the admins/users. Version of all relevant components (if applicable): Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? Can this issue reproducible? Yes Can this issue reproduce from the UI? Deploy ODF If this is a regression, please provide more details to justify this: Steps to Reproduce: 1. Deploy ODF 2. Check liveness container running on csi pods 3. On the node where daemonset pods are running the host port 9080 and 9081 are opened and used. Expected results: The liveness sidecar container should be disabled in all csi pods and cephcsi should not use 9080 and 9081 ports on the host. Additional info:
Moving the bug to the next z stream as we have exhausted the limit for 4.11.4
@tnielsen please, provide Fixed in version. Regards
- This was also merged to 4.10 with BZ 2142902 - The fix is available in 4.10.9 and 4.11.4
verified that container 'liveness-prometheus' is not running on any csi pod OC version: Client Version: 4.12.0-202208031327 Kustomize Version: v4.5.4 Server Version: 4.12.0-0.nightly-2023-01-08-142418 Kubernetes Version: v1.25.4+77bec7a OCS verison: ocs-operator.v4.12.0-156.stable OpenShift Container Storage 4.12.0-156.stable Succeeded Cluster version NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.12.0-0.nightly-2023-01-08-142418 True False 5h30m Cluster version is 4.12.0-0.nightly-2023-01-08-142418 Rook version: rook: v4.12.0-0.f4e99907f9b9f05a190303465f61d12d5d24cace go: go1.18.7 Ceph version: ceph version 16.2.10-90.el8cp (821b516c325c19f31b81b943cd800c2190f1e685) pacific (stable) =========== script: oc get pods -o custom-columns=POD:.metadata.name --no-headers -n openshift-storage | while read line; do if [[ $(oc describe pod "$line" -n openshift-storage | grep "$1") ]]; then echo -en "\a"; echo "'$line'" - FAILED; else echo "$line" - PASSED fi; done
verified that container 'liveness-prometheus' is not running on any csi pod OC version: Client Version: 4.12.0-202208031327 Kustomize Version: v4.5.4 Server Version: 4.11.0-0.nightly-2023-01-07-041900 Kubernetes Version: v1.24.6+5658434 OCS verison: ocs-operator.v4.11.4 OpenShift Container Storage 4.11.4 ocs-operator.v4.11.3 Succeeded Cluster version NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2023-01-07-041900 True False 9h Cluster version is 4.11.0-0.nightly-2023-01-07-041900 Rook version: rook: v4.11.4-0.96e324244ec878d70194179a2892ec7193f6b591 go: go1.17.12 Ceph version: ceph version 16.2.8-84.el8cp (c2980f2fd700e979d41b4bad2939bb90f0fe435c) pacific (stable)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenShift Data Foundation 4.11.5 Bug Fix Update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:0764