Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.19.0
Affects Version/s: 4.14, 4.15, 4.16
Component/s: Cloud Compute / Machine CSR Approver
Labels:

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
No

Target Backport Versions:

4.17.z, 4.16.z, 4.18.z
Target Version:

4.19.0
Release Blocker:
None
Sprint:
CLOUD Sprint 263, CLOUD Sprint 264, CLOUD Sprint 262
sprint_count:
3

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Previously, the certificate signing request (CSR) approver included certificates from other systems within its calculations for whether it was overwhelmed and should stop approving certificates. In larger clusters, with other subsystems using CSRs, the CSR approver counted unrelated unapproved CSRs towards its total and prevented further approvals. With this release, the CSR approver only includes CSRs that it can approve, by using the `signerName` property as a filter. As a result, the CSR approver only prevents new approvals when there are a large number of unapproved CSRs for the relevant `signerName` values. (link:https://issues.redhat.com/browse/OCPBUGS-36404[~~OCPBUGS-36404~~])

Show
* Previously, the certificate signing request (CSR) approver included certificates from other systems within its calculations for whether it was overwhelmed and should stop approving certificates. In larger clusters, with other subsystems using CSRs, the CSR approver counted unrelated unapproved CSRs towards its total and prevented further approvals. With this release, the CSR approver only includes CSRs that it can approve, by using the `signerName` property as a filter. As a result, the CSR approver only prevents new approvals when there are a large number of unapproved CSRs for the relevant `signerName` values. (link: https://issues.redhat.com/browse/OCPBUGS-36404 [ OCPBUGS-36404 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:
machine-approver logs

E0221 20:29:52.377443       1 controller.go:182] csr-dm7zr: Pending CSRs: 1871; Max pending allowed: 604. Difference between pending CSRs and machines > 100. Ignoring all CSRs as too many recent pending CSRs seen

oc get csr |wc -l
3818
oc get csr |grep "node-bootstrapper" |wc -l
2152

By approving the pending CSR manually I can get the cluster to scaleup.

We can increase the maxPending to a higher number https://github.com/openshift/cluster-machine-approver/blob/2d68698410d7e6239dafa6749cc454272508db19/pkg/controller/controller.go#L330

blocks

OCPBUGS-41551 Nodes to Node and subsequently pod to pod communication are repeatedly degrading despite multiple OVN DB rebuilds to fix the issue

Closed

OCPBUGS-46425 Too many pending CSRs lead to scaleup failures when scaling to 500 nodes

Closed

is cloned by

OCPBUGS-46425 Too many pending CSRs lead to scaleup failures when scaling to 500 nodes

Closed

links to

openshift/cluster-machine-approver#243: OCPBUGS-36404: Filter CSRs by signerName

RHEA-2024:11038 OpenShift Container Platform 4.19.z bug fix update

Assignee:: Radek Manak

Reporter:: Mohit Jitendra Sheth

Need Info From:: None

Contributors:: None

QA Contact:: Zhaohua Sun

Doc Contact:: None

Votes:: 1 Vote for this issue

Watchers:: 17 Start watching this issue

Created:: 2024/07/01 8:37 PM

Updated:: 2025/07/22 11:29 AM

Resolved:: 2025/06/17 4:58 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide