Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-2049

Gatekeeper Operator triggers the creation of many ServiceAccount secrets

XMLWordPrintable

    • 1
    • False
    • None
    • False
    • ACM Sprint 24, ACM Sprint 25, ACM Sprint 26, GRC Sprint 2023-21, GRC Sprint 2023-22
    • -
    • No

      Description of problem:

      When installing the Gatekeeper Operator and creating a `gatekeeper.operator.gatekeeper.sh` object, this results in a large number of secrets created in the `openshift-gatekeeper-system` Namespace.

      This appears to be related to the number of times that the Operator attempts to reconcile before the Gatekeeper Deployment replica-count matches the desired. 

      From the logs we can see that the `system-admin` ServiceAccount is reconciled 11 times and there are the same number of ServiceAccount tokens.

      It appears that one every retry, it's triggering the ControllerManager to re-generate the credentials.

      When the internet speed is slow for pulling the Gatekeeper images, this can result in very-large amounts of Secrets being generated.

      Version-Release number of selected component (if applicable):

      GitVersion:"v0.2.4", GitCommit:"b18e07909b0ea04808f4c00327744c013cacb816", GitTreeState:"clean", BuildDate:"2022-10-24T16:17:17Z", GoVersion:"go1.18.4", Compiler:"gc", Platform:"linux/amd64"

      How reproducible:

      Every-time

      Steps to Reproduce:

      1.  There is a bash script that is in the comments for this Jira ticket that shows how to reproduce this issue. If run, it should result in the issue described.

      Actual results:

      There are many Secrets (3x the reconcile loop due to ServiceAccount tokens and Dockercfg) created.

      Expected results:

      The `gatekeeper-admin` ServiceAccount should only have 3 secrets generated for tokens and dockercfg

      Additional info:

      Please run the script and reach out if there is any difficulty reproducing the issue.

      ~~~

      ⇒ oc log -c manager deploy/gatekeeper-operator-controller | grep "openshift-gatekeeper-system/gatekeeper-admin"
      2022-11-11T06:23:34.564Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      2022-11-11T06:23:40.255Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      2022-11-11T06:23:40.754Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      2022-11-11T06:23:41.230Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      2022-11-11T06:23:41.687Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      2022-11-11T06:23:42.137Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      2022-11-11T06:23:42.658Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      2022-11-11T06:23:43.295Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      2022-11-11T06:23:44.087Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      2022-11-11T06:23:45.206Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      2022-11-11T06:23:47.025Z        INFO    controllers.Gatekeeper  Updated Gatekeeper resource     {"Gatekeeper resource": "openshift-gatekeeper-system/gatekeeper-admin"}
      ...

      ⇒ oc get secrets -n openshift-gatekeeper-system | grep gatekeeper-admin-dockercfg
      gatekeeper-admin-dockercfg-24qm6   kubernetes.io/dockercfg               1      16m
      gatekeeper-admin-dockercfg-2hrmq   kubernetes.io/dockercfg               1      16m
      gatekeeper-admin-dockercfg-798zk   kubernetes.io/dockercfg               1      16m
      gatekeeper-admin-dockercfg-8k7s5   kubernetes.io/dockercfg               1      16m
      gatekeeper-admin-dockercfg-bn8jm   kubernetes.io/dockercfg               1      16m
      gatekeeper-admin-dockercfg-df4xf   kubernetes.io/dockercfg               1      16m
      gatekeeper-admin-dockercfg-fxj4s   kubernetes.io/dockercfg               1      16m
      gatekeeper-admin-dockercfg-hrjvf   kubernetes.io/dockercfg               1      16m
      gatekeeper-admin-dockercfg-jj8jr   kubernetes.io/dockercfg               1      16m
      gatekeeper-admin-dockercfg-lw7x2   kubernetes.io/dockercfg               1      16m
      gatekeeper-admin-dockercfg-nrdl9   kubernetes.io/dockercfg               1      16m
      ...
      ~~~

              dhaiduce Dale Haiducek
              rhn-support-mwasher Michael Washer (Inactive)
              Dale Haiducek, Yi Rae Kim
              Derek Ho Derek Ho
              Votes:
              4 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: