-
Bug
-
Resolution: Done-Errata
-
Critical
-
None
-
4.16, 4.16.0, 4.17, 4.16.z
Description of problem:
In 4,16 OCP starts to place an annotation on service accounts when it creates a dockercfg secret. Some operators/reconciliation loops (incorrectly) will then try to set the annotation on the SA back to exactly what they wanted. OCP will annotate again and create a new secret. Operators sets it back without annotation. Rinse Repeat. Eventually etcd will get completely overloaded with secrets, will start to OOM, and the entire cluster will come down.
There is belief that at least otel, tempo, acm, odf/ocs, strymzi, elasticsearch and possibly other operators reconciled the annoations on the SA by setting them back exactly how they wanted them set.
These seem to be related (but no complete)
https://issues.redhat.com/browse/LOG-5776
https://issues.redhat.com/browse/ENTMQST-6129
- blocks
-
-
- Closed
-
- is blocked by
-
API-1819 Impact: OCPBUGS-36833: 4.16 "Bad" reconciliation loops can cause unbounded dockercfg secret creation
-
- Closed
-
- is cloned by
-
-
- Closed
-
- is related to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- links to
-
RHEA-2024:3718
OpenShift Container Platform 4.17.z bug fix update
