Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-1549

DNS operator does not reconcile the openshift-dns namespace

    XMLWordPrintable

Details

    • Critical
    • 3
    • Sprint 225, Sprint 226
    • 2
    • Approved
    • False
    • Hide

      This breaks 4.9→4.10→4.11→4.12 upgrades. 

      Show
      This breaks 4.9→4.10→4.11→4.12 upgrades. 
    • Hide
      *Previously, the Cluster DNS Operator did not reconcile the `openshift-dns` namespace, which is a requirement for {product-title} 4.12 to have pod-security labels. With this update, the Cluster DNS Operator reconciles the `openshift-dns` namespace and the pod security labels are correct ensuring that pods startup with no problems. (link: https://issues.redhat.com/browse/OCPBUGS-1549[*OCPBUGS-1549*])
      Show
      *Previously, the Cluster DNS Operator did not reconcile the `openshift-dns` namespace, which is a requirement for {product-title} 4.12 to have pod-security labels. With this update, the Cluster DNS Operator reconciles the `openshift-dns` namespace and the pod security labels are correct ensuring that pods startup with no problems. (link: https://issues.redhat.com/browse/OCPBUGS-1549 [* OCPBUGS-1549 *])
    • Bug Fix
    • Done

    Description

      Description of problem:

      The cluster-dns-operator does not reconcile the openshift-dns namespace, which has been exposed as an issue in 4.12 due to the requirement for the namespace to have pod-security labels.

If a cluster has been incrementally updated from a version less than or equal to 4.9, the openshift-dns namespace will most likely not contain the required pod-security labels since the namespace was statically created when the cluster was installed with old namespace configuration.

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      Always if cluster originally installed with v4.9 or less

      Steps to Reproduce:

      1. Install v4.9
2. Upgrade to v4.12 (incrementally if required for upgrade path)
3. openshift-dns namespace will be missing pod-security labels

      Actual results:

      "oc get ns openshift-dns -o yaml" will show missing pod-security labels: 

apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/node-selector: ""
    openshift.io/sa.scc.mcs: s0:c15,c0
    openshift.io/sa.scc.supplemental-groups: 1000210000/10000
    openshift.io/sa.scc.uid-range: 1000210000/10000
  creationTimestamp: "2020-05-21T19:36:15Z"
  labels:
    kubernetes.io/metadata.name: openshift-dns
    olm.operatorgroup.uid/3d42c0c1-01cd-4c55-bf88-864f041c7e7a: ""
    openshift.io/cluster-monitoring: "true"
    openshift.io/run-level: "0"
  name: openshift-dns
  resourceVersion: "3127555382"
  uid: 0fb4571e-952f-4bea-bc45-461beec54369
spec:
  finalizers:
  - kubernetes

      Expected results:

      pod-security labels should exist:
 
 labels:
    kubernetes.io/metadata.name: openshift-dns
    olm.operatorgroup.uid/3d42c0c1-01cd-4c55-bf88-864f041c7e7a: ""
    openshift.io/cluster-monitoring: "true"
    openshift.io/run-level: "0"
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged

      Additional info:

      Issue found in CI during upgrade

      https://coreos.slack.com/archives/C03G7REB4JV/p1663676443155839 

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2047 DNS operator does not reconcile the openshift-dns namespace

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2050 [release-4.11] DNS operator does not reconcile the openshift-dns namespace

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Task - Represents a small unit of work that is not end-user facing. OTA-786 Raise the minor_min version for 4.11.z to 4.12.0 upgrade once openshift-dns label reconciliation is released

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2047 DNS operator does not reconcile the openshift-dns namespace

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-2050 [release-4.11] DNS operator does not reconcile the openshift-dns namespace

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-1561 Namespace openshift-dns lost pod-security labels during 4.9.48 -> 4.11 -> 4.12 upgrade

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-753 dns-default pod missing "target.workload.openshift.io/management:" annotation

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/cluster-dns-operator#343: OCPBUGS-1549: Reconcile the DNS namespace

          Activity

            People

              cholman@redhat.com Candace Holman
              gspence@redhat.com Grant Spence
              Melvin Joseph Melvin Joseph
              Joe Aldinger Joe Aldinger
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: