Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31067

The CSRs are not auto-approved on 4.16.0-ec.4

    XMLWordPrintable

Details

    • Moderate
    • No
    • Approved
    • False
    • Hide

      None

      Show
      None
    • N/A - fixed in same version as introduced issue
    • Release Note Not Required
    • In Progress

    Description

      Description of problem:

      After build02 is upgraded to 4.16.0-ec.4 from 4.16.0-ec.3, the CSRs are not auto-approved. As a result, provisioned machines cannot become nodes of the cluster.

      Version-Release number of selected component (if applicable):

      oc --context build02 get clusterversion version
NAME      VERSION       AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-ec.4   True        False         4h28m

      How reproducible:

      Steps to Reproduce:

          1.
    2.
    3.

      Actual results:

      Expected results:

      Additional info:

      mimccune@redhat.com feels the group "system:serviceaccounts" was missing in the CSR.
      https://redhat-internal.slack.com/archives/CBZHF4DHC/p1710875084740869?thread_ts=1710861842.471739&cid=CBZHF4DHC

      An inspection of the namespace openshift-cluster-machine-approver:
      https://redhat-internal.slack.com/archives/CBZHF4DHC/p1710863462860809?thread_ts=1710861842.471739&cid=CBZHF4DHC

       

      A workaround to approve the CSRs manually on b02:

      https://github.com/openshift/release/pull/50016

       

      Attachments

        Issue Links

          is blocked by

          Spike - Represents a research-related task. MCO-1091 Impact The CRSs are not auto-approved on 4.16.0-ec.4

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-8349 Bootstrap kubelet client cert should include system:serviceaccounts group

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          links to

          GitHub openshift/machine-config-operator#4276: OCPBUGS-31067: server: still serve kubeconfig with node-bootstrapper-token

          Web Link RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

          Activity

            People

              jerzhang@redhat.com Yu Qi Zhang
              hongkliu Hongkai Liu
              Sergio Regidor de la Rosa Sergio Regidor de la Rosa
              Charles Doern
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated: