Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-1549

DNS operator does not reconcile the openshift-dns namespace

XMLWordPrintable

    • Critical
    • None
    • 3
    • Sprint 225, Sprint 226
    • 2
    • Approved
    • False
    • Hide

      This breaks 4.9→4.10→4.11→4.12 upgrades. 

      Show
      This breaks 4.9→4.10→4.11→4.12 upgrades. 
    • Hide
      *Previously, the Cluster DNS Operator did not reconcile the `openshift-dns` namespace, which is a requirement for {product-title} 4.12 to have pod-security labels. With this update, the Cluster DNS Operator reconciles the `openshift-dns` namespace and the pod security labels are correct ensuring that pods startup with no problems. (link: https://issues.redhat.com/browse/OCPBUGS-1549[*OCPBUGS-1549*])
      Show
      *Previously, the Cluster DNS Operator did not reconcile the `openshift-dns` namespace, which is a requirement for {product-title} 4.12 to have pod-security labels. With this update, the Cluster DNS Operator reconciles the `openshift-dns` namespace and the pod security labels are correct ensuring that pods startup with no problems. (link: https://issues.redhat.com/browse/OCPBUGS-1549 [* OCPBUGS-1549 *])
    • Bug Fix
    • Done

      Description of problem:

      The cluster-dns-operator does not reconcile the openshift-dns namespace, which has been exposed as an issue in 4.12 due to the requirement for the namespace to have pod-security labels.

If a cluster has been incrementally updated from a version less than or equal to 4.9, the openshift-dns namespace will most likely not contain the required pod-security labels since the namespace was statically created when the cluster was installed with old namespace configuration.

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      Always if cluster originally installed with v4.9 or less

      Steps to Reproduce:

      1. Install v4.9
2. Upgrade to v4.12 (incrementally if required for upgrade path)
3. openshift-dns namespace will be missing pod-security labels

      Actual results:

      "oc get ns openshift-dns -o yaml" will show missing pod-security labels: 

apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/node-selector: ""
    openshift.io/sa.scc.mcs: s0:c15,c0
    openshift.io/sa.scc.supplemental-groups: 1000210000/10000
    openshift.io/sa.scc.uid-range: 1000210000/10000
  creationTimestamp: "2020-05-21T19:36:15Z"
  labels:
    kubernetes.io/metadata.name: openshift-dns
    olm.operatorgroup.uid/3d42c0c1-01cd-4c55-bf88-864f041c7e7a: ""
    openshift.io/cluster-monitoring: "true"
    openshift.io/run-level: "0"
  name: openshift-dns
  resourceVersion: "3127555382"
  uid: 0fb4571e-952f-4bea-bc45-461beec54369
spec:
  finalizers:
  - kubernetes

      Expected results:

      pod-security labels should exist:
 
 labels:
    kubernetes.io/metadata.name: openshift-dns
    olm.operatorgroup.uid/3d42c0c1-01cd-4c55-bf88-864f041c7e7a: ""
    openshift.io/cluster-monitoring: "true"
    openshift.io/run-level: "0"
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged

      Additional info:

      Issue found in CI during upgrade

      https://coreos.slack.com/archives/C03G7REB4JV/p1663676443155839 

              cholman@redhat.com Candace Holman
              gspence@redhat.com Grant Spence
              Melvin Joseph Melvin Joseph
              Joe Aldinger Joe Aldinger
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: