Normal Description of problem:
We've noticed that resources being generated by OLM are now violating naming conventions defined in https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
Bottom line is that hashes are being used with upper case characters which is not allowed. I am a bit surprised the cluster does not prevent you from using names that are not valid, and I have concerns that doing so could have unintended side effects.
Example of names from cluster roles that are clearly being generated by the change referenced in this issue:
olm.og.common-service.admin-c4tMDipMg7VaWMIuw6210fW76wyxC1CnGdHJOf
olm.og.common-service.edit-2Rds5IsWBYmBFNVF26PaaJvCM2F0×UG2Qtp
olm.og.common-service.view-7jUx6xyJtJs3vlfscu3DBtSEmwFdwh4wthM3wl
olm.og.db2u-operator-group.admin-aEg2rpS7Q20027md7CzLYevkxABRGcJuXc1YVA
olm.og.db2u-operator-group.edit-40KnDUYfqnylp8p7Nig9igCYl4Dt96Guhkmb9E
olm.og.db2u-operator-group.view-3JbwbeQjUu@SvDmkYtkLQ4X1MXFTn7UGrX75kn
olm.og.global-operators.admin-3gjDVezhGPF6RBt00pjEpDpKq039v3NK8r4hmc
olm.og.global-operators.edit-aFTmGKi9ZRUPJ2Dsphpd4NvovRSYjV3grbNdzM
olm.og.global-operators.view-blsDheftOYMzHYeJbysGRVymD2Yx8MmrS7Y10E
olm.og.ibm-cert-manager-operator.admin-9a9F9cREzNgaqv1SKvnYWgJQbK80ufJBdbtF
olm.og.ibm-cert-manager-operator.edit-6bCr3hF8qlMsZYoax5cSo8VMsJOfST4NMEuuoZ
olm.og.ibm-cert-manager-operator.view-2jLhuaz4YnQGdIoovmcTW3RYOtTE7xJ159JG
olm.og.ibm-licensing-operator-app.admin-cJX0800bbyRDX61iafi7hKhe5bMHLNyZXADwpO
olm.og.ibm-licensing-operator-app.edit-8EnaPEfZPWRAIHZTaMHRE9TmMpM6tBmiKoxMe1
olm.og.ibm-licensing-operator-app.view-6SOy5VgsdKttNckE1JjB0aj3ndoMROGtraB0EG
olm.og.olm-operators.admin-cJW3IC0Z90sn3oPCTb13AVfBqppCRcP8pbQVFI
olm.og.olm-operators.edit-bWJnBj37eRvbI1svBxms0t0mdsKB26cTBQYrx
olm.og.olm-operators.view-8emcFsHayyHMQwkcnb90TLvkbpORUOKtlNrGsV
olm.og.openshift-cluster-monitoring.admin-2SOrzhaSHllEqB6Becsc9Z2BniBuXZxdBrPmIq
olm.og.openshift-cluster-monitoring.edit-brB9auo7mhdQtycRdrSZm5X1KKbUjCe698FPlD
olm.og.openshift-cluster-monitoring.view-9QCGFNcofBHQ2DeWEf2qFa4NWqT0GskUed04Tz
Example of Install Plans (under status.resolving):
- resolving: db2u-operator.v110509.0.1 resource: group: rbac.authorization.k8s.io kind: ClusterRole manifest: '{"kind":"ConfigMap","name":"b590c08640a5fc782f7e8d910d64bac7712a8213e13f3e7cfd7e17d5f12a750","namespace":"openshift-marketplace","catalogSourceName":"ibm-db2uoperator-catalog","catalogSourceNamespace":"openshift-marketplace","replaces":"","properties":"{\"properties\":[{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"Db2uCluster\",\"version\":\"v1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"Db2uHadr\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"FormationLock\",\"version\":\"v1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"BigSQL\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"Db2uEngine\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"Db2uInstance\",\"version\":\"v1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"Formation\",\"version\":\"v1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2ubnr.databases.ibm.com\",\"kind\":\"Db2uBackup\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2ubnr.databases.ibm.com\",\"kind\":\"Db2uRestore\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2ulog.databases.ibm.com\",\"kind\":\"Db2uLogStream\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.package\",\"value\":{\"packageName\":\"db2u-operator\",\"version\":\"110509.0.1\"}}]}"}' name: db2u-operator.v110509.0.1-4OWhAwUkBF9gcAjG5kKrcLOvYaFum6JuaJ5WZ9 sourceName: ibm-db2uoperator-catalog sourceNamespace: openshift-marketplace version: v1 status: Present - resolving: db2u-operator.v110509.0.1 resource: group: rbac.authorization.k8s.io kind: ClusterRoleBinding manifest: '{"kind":"ConfigMap","name":"b590c08640a5fc782f7e8d910d64bac7712a8213e13f3e7cfd7e17d5f12a750","namespace":"openshift-marketplace","catalogSourceName":"ibm-db2uoperator-catalog","catalogSourceNamespace":"openshift-marketplace","replaces":"","properties":"{\"properties\":[{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"Db2uCluster\",\"version\":\"v1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"Db2uHadr\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"FormationLock\",\"version\":\"v1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"BigSQL\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"Db2uEngine\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"Db2uInstance\",\"version\":\"v1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2u.databases.ibm.com\",\"kind\":\"Formation\",\"version\":\"v1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2ubnr.databases.ibm.com\",\"kind\":\"Db2uBackup\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2ubnr.databases.ibm.com\",\"kind\":\"Db2uRestore\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.gvk\",\"value\":{\"group\":\"db2ulog.databases.ibm.com\",\"kind\":\"Db2uLogStream\",\"version\":\"v1alpha1\"}},{\"type\":\"olm.package\",\"value\":{\"packageName\":\"db2u-operator\",\"version\":\"110509.0.1\"}}]}"}' name: db2u-operator.v110509.0.1-4OWhAwUkBF9gcAjG5kKrcLOvYaFum6JuaJ5WZ9 sourceName: ibm-db2uoperator-catalog sourceNamespace: openshift-marketplace version: v1 status: Present
Example of a ClusterRole (shortened for brevity)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2024-04-24T22:26:15Z"
labels:
olm.managed: "true"
olm.owner: db2u-operator.v110509.0.1
olm.owner.kind: ClusterServiceVersion
olm.owner.namespace: zypmfel-dyn-0
olm.permissions.hash: 5Fhdh03JT0ncgVELjkqGCsWy3L2qS2fUyVF0ZW
operators.coreos.com/db2u-operator.zypmfel-dyn-0: ""
name: db2u-operator.v110509.0.1-4OWhAwUkBF9gcAjG5kKrcLOvYaFum6JuaJ5WZ9
resourceVersion: "4253670"
uid: 14e82614-c40b-455f-94b1-cf29e3fe073d
In the ClusterRole example above, I don't believe our operators create these as far as I am aware. Given the RBAC section for operator groups docs it indicates what labels are applied by OLM:
- For CSV in the global OperatorGroup:
- A ClusterRole and corresponding ClusterRoleBinding are generated for each permission defined in the CSV's permissions field. All resources generated are given the olm.owner: <csv-name> and olm.owner.namespace: <csv-namespace> labels- Else for each target namespace:
- All Roles and RoleBindings in the operator namespace with the olm.owner: <csv-name> and olm.owner.namespace: <csv-namespace> labels are copied into the target namespace.
I've crawled through the OLM code, and I believe the Role, ClusterRole, RoleBinding and ClusterRoleBinding are generated from the manifests inside the InstallPlan. I think the name gets generated in this code. If I had to guess, GetGenerateName is being called, and according to the docs, this can have a unique suffix:
type ObjectMeta struct {
// Name must be unique within a namespace. Is required when creating resources, although
// some resources may allow a client to request the generation of an appropriate name
// automatically. Name is primarily intended for creation idempotence and configuration
// definition.
// Cannot be updated.
// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
// +optional
Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
// GenerateName is an optional prefix, used by the server, to generate a unique
// name ONLY IF the Name field has not been provided.
// If this field is used, the name returned to the client will be different
// than the name passed. This value will also be combined with a unique suffix.
// The provided value has the same validation rules as the Name field,
// and may be truncated by the length of the suffix required to make the value
// unique on the server.
//
// If this field is specified and the generated name exists, the server will return a 409.
//
// Applied only if Name is not specified.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
// +optional
GenerateName string `json:"generateName,omitempty" protobuf:"bytes,2,opt,name=generateName"`
4.15
How reproducible:
{code:none}
Always
Steps to Reproduce:
1. Install an OLM operator
2. Check the InstallPlan status.plan[].name and OLM generated artifacts for the object names (i.e. metadata.name)
Actual results:
See description
Expected results:
Kube object names should be valid according to https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
Additional info:
Related to https://issues.redhat.com/browse/OCPBUGS-14698
- relates to
-
OCPBUGS-14698 Creating an OperatorGroup with "name: cluster" breaks the whole cluster
-
- Closed
-
