Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-1549

DNS operator does not reconcile the openshift-dns namespace

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Done
    • 4.12, 4.11
    • None
    • Networking / DNS
    • Critical
    • Sprint 225, Sprint 226
    • 3
    • Approved
    • Hide

      This breaks 4.9→4.10→4.11→4.12 upgrades. 

      Show
      This breaks 4.9→4.10→4.11→4.12 upgrades. 
    • Hide
      *Previously, the Cluster DNS Operator did not reconcile the `openshift-dns` namespace, which is a requirement for {product-title} 4.12 to have pod-security labels. With this update, the Cluster DNS Operator reconciles the `openshift-dns` namespace and the pod security labels are correct ensuring that pods startup with no problems. (link: https://issues.redhat.com/browse/OCPBUGS-1549[*OCPBUGS-1549*])
      Show
      *Previously, the Cluster DNS Operator did not reconcile the `openshift-dns` namespace, which is a requirement for {product-title} 4.12 to have pod-security labels. With this update, the Cluster DNS Operator reconciles the `openshift-dns` namespace and the pod security labels are correct ensuring that pods startup with no problems. (link: https://issues.redhat.com/browse/OCPBUGS-1549 [* OCPBUGS-1549 *])
    • Bug Fix
    • Done

    Description

      Description of problem:

      The cluster-dns-operator does not reconcile the openshift-dns namespace, which has been exposed as an issue in 4.12 due to the requirement for the namespace to have pod-security labels.
      
      If a cluster has been incrementally updated from a version less than or equal to 4.9, the openshift-dns namespace will most likely not contain the required pod-security labels since the namespace was statically created when the cluster was installed with old namespace configuration.

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      Always if cluster originally installed with v4.9 or less

      Steps to Reproduce:

      1. Install v4.9
      2. Upgrade to v4.12 (incrementally if required for upgrade path)
      3. openshift-dns namespace will be missing pod-security labels

      Actual results:

      "oc get ns openshift-dns -o yaml" will show missing pod-security labels: 
      
      apiVersion: v1
      kind: Namespace
      metadata:
        annotations:
          openshift.io/node-selector: ""
          openshift.io/sa.scc.mcs: s0:c15,c0
          openshift.io/sa.scc.supplemental-groups: 1000210000/10000
          openshift.io/sa.scc.uid-range: 1000210000/10000
        creationTimestamp: "2020-05-21T19:36:15Z"
        labels:
          kubernetes.io/metadata.name: openshift-dns
          olm.operatorgroup.uid/3d42c0c1-01cd-4c55-bf88-864f041c7e7a: ""
          openshift.io/cluster-monitoring: "true"
          openshift.io/run-level: "0"
        name: openshift-dns
        resourceVersion: "3127555382"
        uid: 0fb4571e-952f-4bea-bc45-461beec54369
      spec:
        finalizers:
        - kubernetes

      Expected results:

      pod-security labels should exist:
       
       labels:
          kubernetes.io/metadata.name: openshift-dns
          olm.operatorgroup.uid/3d42c0c1-01cd-4c55-bf88-864f041c7e7a: ""
          openshift.io/cluster-monitoring: "true"
          openshift.io/run-level: "0"
          pod-security.kubernetes.io/audit: privileged
          pod-security.kubernetes.io/enforce: privileged
          pod-security.kubernetes.io/warn: privileged

      Additional info:

      Issue found in CI during upgrade

      https://coreos.slack.com/archives/C03G7REB4JV/p1663676443155839 

      Attachments

        Issue Links

          Activity

            People

              cholman@redhat.com Candace Holman
              gspence@redhat.com Grant Spence
              Melvin Joseph Melvin Joseph
              Joe Aldinger Joe Aldinger
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: