Description of problem:
In OCP 4.17, kube-apiserver no longer gets a valid cloud config. Therefore the PersistentVolumeLabel admission plugin reject in-tree GCE PD PVs that do not have correct topology with `persistentvolumes \"gce-\" is forbidden: error querying GCE PD volume e2e-4d8656c6-d1d4-4245-9527-33e5ed18dd31: disk is not found`
In 4.16, kube-apiserver will not get a valid cloud config after it updates library-go with this PR.
How reproducible:
always
Steps to Reproduce:
1. Run e2e test "Multi-AZ Cluster Volumes should schedule pods in the same zones as statically provisioned PVs"
- blocks
-
OCPBUGS-34545 [release-4.16] PersistentVolumeLabel admission plugin does not work
-
- POST
-
- is cloned by
-
-
- POST
-
- links to
-
RHEA-2024:3718
OpenShift Container Platform 4.17.z bug fix update
[OCPBUGS-34544] PersistentVolumeLabel admission plugin does not work
Summarizing 1 Failure:
[FAIL] [sig-storage] Multi-AZ Cluster Volumes [It] should schedule pods in the same zones as statically provisioned PVs [Disabled:Broken] [Disabled:Unsupported] [Suite:k8s] [sig-storage]
k8s.io/kubernetes@v1.30.1/test/e2e/storage/ubernetes_lite_volumes.go:147
Ran 1 of 1 Specs in 422.756 seconds
FAIL! -- 0 Passed | 1 Failed | 0 Pending | 0 Skipped
fail [k8s.io/kubernetes@v1.30.1/test/e2e/storage/ubernetes_lite_volumes.go:147]: Timed out after 300.049s.
Expected Pod to be in <v1.PodPhase>: "Running"
OpenShift Jira Bot
added a comment - Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.
OpenShift Jira Bot
added a comment - Hi rhn-engineering-jsafrane ,
Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified. 
Jan Safranek
added a comment - The admission plugin needs to be removed from list of admissions that are on by default in openshift/kubernetes.
https://github.com/openshift/kubernetes/pull/1991
Jan Safranek
added a comment - The admission plugin needs to be removed from list of admissions that are on by default in openshift/kubernetes.
https://github.com/openshift/kubernetes/pull/1991
We need to:
- Disable the admission plugin in
- kube-apiserver-operator
- hypershift
- Skip all tests that need the admission, i.e. anything that creates in-tree PVs that may need topology. 4.17 already has this chunk. We should at least rephrase the comment to indicate it's because of the admission plugin.
- Make sure we have a huge release note. If they're creating PVs manually, they must ensure they have correct nodeAffinity. It's not editable after PV creation. They can still add / update topology labels to PV even after creation.
Jan Safranek
added a comment - - edited We need to:
Disable the admission plugin in
kube-apiserver-operator
hypershift
Skip all tests that need the admission, i.e. anything that creates in-tree PVs that may need topology. 4.17 already has this chunk . We should at least rephrase the comment to indicate it's because of the admission plugin.
Make sure we have a huge release note. If they're creating PVs manually, they must ensure they have correct nodeAffinity. It's not editable after PV creation. They can still add / update topology labels to PV even after creation.
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (Moderate: OpenShift Container Platform 4.17.0 bug fix and security update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:3718