Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.13, 4.12, 4.11, 4.10
Component/s: Pod Autoscaler
Labels:
- triaged

Test Coverage:

+
Severity:
Moderate
Regression:
No
Story Points:
2
Sprint:
OCPNODE Sprint 238 (Green)
sprint_count:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Cause:
A bug in Custom Metrics Autoscaler Operator caused it to attempt to take ownership of all managed objects, even cluster-scoped objects and objects in other namespaces.
Consequence:
Custom Metrics Autoscaler was unable to create a rolebinding for reading the credentials necessary to be an API server. This caused error events in the kube-system namespace.
Fix:
The Custom Metrics Autoscaler Operator skips adding the ownerReference field on any cluster-scoped object or object in another namespace.
Result:
The rolebinding is now created without any errors.

Show
Cause: A bug in Custom Metrics Autoscaler Operator caused it to attempt to take ownership of all managed objects, even cluster-scoped objects and objects in other namespaces. Consequence: Custom Metrics Autoscaler was unable to create a rolebinding for reading the credentials necessary to be an API server. This caused error events in the kube-system namespace. Fix: The Custom Metrics Autoscaler Operator skips adding the ownerReference field on any cluster-scoped object or object in another namespace. Result: The rolebinding is now created without any errors.
Release Note Type:
Bug Fix
Release Note Status:
Proposed
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:

Description of problem:

After installing KEDA GA, once the KedaController CR is created, it's observed the error below:

$ oc get events -n kube-system|grep -i keda
4m51s       Warning   OwnerRefInvalidNamespace   rolebinding/keda-auth-reader   ownerRef [keda.sh/v1alpha1/KedaController, namespace: kube-system, name: keda, uid: 1e9a6cd3-17e8-4dec-832f-64ab6db759fe] does not exist in namespace "kube-system"
...

Version-Release number of selected component (if applicable):

$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.13.1    True        False         3h55m   Cluster version is 4.13.1

$ oc get csv -n openshift-keda
NAME                                    DISPLAY                            VERSION      REPLACES                        PHASE
custom-metrics-autoscaler.v2.10.1-253   Custom Metrics Autoscaler          2.10.1-253                                   Succeeded

How reproducible:

Always

Steps to Reproduce:

1. Install KEDA GA version - 2.10.1-253 

2. Create KedaController CRD, as for example:
```
$ cat kedaController.yaml 
apiVersion: keda.sh/v1alpha1
kind: KedaController
metadata:
  creationTimestamp: "2023-06-14T12:25:31Z"
  finalizers:
  - finalizer.kedacontroller.keda.sh
  generation: 1
  name: keda
  namespace: openshift-keda
  resourceVersion: "944510"
  uid: e39a65a8-67a2-40e6-85b3-726a4307b3b6
spec:
  admissionWebhooks:
    logEncoder: console
    logLevel: info
  metricsServer:
    logLevel: "0"
  operator:
    logEncoder: console
    logLevel: info
  watchNamespace: ""
```

3. Verify logs in the kube-system namespace indicating `OwnerRefInvalidNamespace rolebinding/keda-auth-reader`

```
$ oc get events -n kube-system|grep -i keda 4m51s       Warning   OwnerRefInvalidNamespace   rolebinding/keda-auth-reader   ownerRef [keda.sh/v1alpha1/KedaController, namespace: kube-system, name: keda, uid: 1e9a6cd3-17e8-4dec-832f-64ab6db759fe] does not exist in namespace "kube-system" ... 
```

4. Confirm that the roledinding doesn't exist in the kube-system namespace:

```
$ oc get rolebinding/keda-auth-reader -n kube-system
Error from server (NotFound): rolebindings.rbac.authorization.k8s.io "keda-auth-reader" not found
```

Actual results:

Observed OwnerRefInvalidNamespace in the kube-system namespace 

```
$ oc get events -n kube-system|grep -i keda 4m51s       Warning   OwnerRefInvalidNamespace   rolebinding/keda-auth-reader   ownerRef [keda.sh/v1alpha1/KedaController, namespace: kube-system, name: keda, uid: 1e9a6cd3-17e8-4dec-832f-64ab6db759fe] does not exist in namespace "kube-system" ...
```

Expected results:

Not errors

Additional info:

links to

[KCS] OwnerRefInvalidNamespace keda-auth-reader using KedaController in RHOCP 4

openshift/custom-metrics-autoscaler-operator#42: OCPBUGS-15038: Don't set ownerReference on cluster-scoped and cross-namespace objects

mentioned on

Merge request - OCPBUGS-15038: Updated US source to: 3430156 Merge pull request #42 from joelsmith/main

Assignee:: Joel Smith

Reporter:: Oscar Casal Sanchez

QA Contact:: Weinan Liu

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2023/06/15 2:04 PM

Updated:: 2023/10/12 7:00 AM

Resolved:: 2023/07/17 1:05 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates