Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-30741

kube-scheduled certificates not correctly rotated after restart of cluster powered of for 2 months

    XMLWordPrintable

Details

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      The cluster was powered off for 2 months. After restarting the cluster, pods are not able to be scheduled.

Errors and warnings "failed to list" and "failed to watch" "Unauthorized" in the `kube-scheduler` pods.

"Unable to authenticate the request" errors with message "x509: certificate signed by unknown authority" in `kube-apiserver` logs.

Similar to BZ 2036870 [1]

       

      Version-Release number of selected component (if applicable):

      4.12

       

      How reproducible:

      unsure

       

      Actual results:

      The `kube-scheduler` certificate is not properly regenerated.

       

      Expected results:

      `kube-scheduler` certificate properly regenerated.

       

      Additional info:

      The `kube-scheduler` certificate was the same than the certificate in `openshift-config-managed`, but not working (solution 5442201 tried but not working).

Renewing the certificate in `openshift-config-managed` as per solution 6961419 [3] worked.

       

      [1] https://bugzilla.redhat.com/show_bug.cgi?id=2036870
      [2] https://access.redhat.com/solutions/5442201
      [3] https://access.redhat.com/solutions/6961419

      Attachments

        Issue Links

          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. API-1376 OpenShift 4.X supports an official process to shut down, restart, and resume an OpenShift cluster from a powered off state, this function should be continuously validated, supported, and guaranteed for consumers for DR and lifecycle use-cases

          • Undefined - Priority not specified.
          • New
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. API-1603 Fallback (Protocol) for Emergency Certificate Rotation

          • Critical - To be worked on immediately following BLOCKER issues.
          • In Progress
          links to

          Web Link KCS 6961419: KubeScheduler not scheduling pods in RHOCP 4

          Activity

            People

              rh-ee-lseveroa Lucas Severo Alves
              oarribas@redhat.com Oscar Arribas Arribas
              Workloads Team Bot Account Workloads Team Bot Account
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: