Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: 4.16.z
Affects Version/s: 4.16, 4.16.0, 4.17, 4.16.z
Component/s: openshift-controller-manager / controller-manager
Labels:
None

Severity:
Critical
Regression:
Yes
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, if the `openshift.io/internal-registry-pull-secret-ref` annotation was removed from a `ServiceAccount`, {product-title} recreated the deleted annotation and created a new managed image pull `Secret`. This contention could cause the cluster to get overloaded with image pull `Secrets`. With this release, {product-title} attempts to reclaim managed image pull `Secrets` that were previously referenced and deletes managed image pull `Secrets` that remain orphaned after reconciliation. (link:https://issues.redhat.com/browse/OCPBUGS-36862[*~~OCPBUGS-36862~~*])
------------------------------------------------------

Previously, if the `openshift.io/internal-registry-pull-secret-ref` annotation was removed from a `ServiceAccount`, usually by a misbehaving operator or reconciliation loop, OpenShift Container Platform would recreate the deleted annotation and create a new managed image pull `Secret`. This contention could cause the cluster to get overloaded with image pull `Secrets`. With this release, OpenShift Container Platform attempts to reclaim managed image pull `Secrets` previously referenced by the annotation when attempting to re-create the annotation after it has been deleted. Additionally, managed image pull `Secrets` that remain orphaned after reconciliation will be deleted.

Show
* Previously, if the `openshift.io/internal-registry-pull-secret-ref` annotation was removed from a `ServiceAccount`, {product-title} recreated the deleted annotation and created a new managed image pull `Secret`. This contention could cause the cluster to get overloaded with image pull `Secrets`. With this release, {product-title} attempts to reclaim managed image pull `Secrets` that were previously referenced and deletes managed image pull `Secrets` that remain orphaned after reconciliation. (link: https://issues.redhat.com/browse/OCPBUGS-36862 [* OCPBUGS-36862 *]) ------------------------------------------------------ Previously, if the `openshift.io/internal-registry-pull-secret-ref` annotation was removed from a `ServiceAccount`, usually by a misbehaving operator or reconciliation loop, OpenShift Container Platform would recreate the deleted annotation and create a new managed image pull `Secret`. This contention could cause the cluster to get overloaded with image pull `Secrets`. With this release, OpenShift Container Platform attempts to reclaim managed image pull `Secrets` previously referenced by the annotation when attempting to re-create the annotation after it has been deleted. Additionally, managed image pull `Secrets` that remain orphaned after reconciliation will be deleted.
Release Note Type:
Bug Fix
Release Note Status:
In Progress
Target Version:

4.16.z
Target Backport Versions:

4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue ~~OCPBUGS-36833~~. The following is the description of the original issue:
—
Description of problem:

In 4,16 OCP starts to place an annotation on service accounts when it creates a dockercfg secret. Some operators/reconciliation loops (incorrectly) will then try to set the annotation on the SA back to exactly what they wanted. OCP will annotate again and create a new secret. Operators sets it back without annotation. Rinse Repeat.

Eventually etcd will get completely overloaded with secrets, will start to OOM, and the entire cluster will come down.

There is belief that at least otel, tempo, acm, odf/ocs, strymzi, elasticsearch and possibly other operators reconciled the annoations on the SA by setting them back exactly how they wanted them set.

These seem to be related (but no complete)

https://issues.redhat.com/browse/LOG-5776

https://issues.redhat.com/browse/ENTMQST-6129

https://issues.redhat.com/browse/TRACING-4435

https://issues.redhat.com/browse/ACM-10987

clones

OCPBUGS-36833 4.16 "Bad" reconciliation loops can cause unbounded dockercfg secret creation

Closed

is blocked by

OCPBUGS-36833 4.16 "Bad" reconciliation loops can cause unbounded dockercfg secret creation

Closed

links to

openshift/openshift-controller-manager#323: OCPBUGS-36862: 4.16 "Bad" reconciliation loops can cause unbounded dockercfg secret creation

RHBA-2024:4613 OpenShift Container Platform 4.16.z bug fix update

Assignee:: Sayan Biswas

Reporter:: OpenShift Prow Bot

QA Contact:: Ke Wang

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2024/07/11 11:39 AM

Updated:: 2024/07/24 6:54 PM

Resolved:: 2024/07/24 6:54 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates