Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 4.20.0
Affects Version/s: 4.16.z
Component/s: Monitoring
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:

4.18.z, 4.19.z
Target Version:

4.20.0
Release Blocker:
None
Sprint:
MON Sprint 270, MON Sprint 271, MON Sprint 272, MON Sprint 274, MON Sprint 275, MON Sprint 276, MON Sprint 277
sprint_count:
7

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
Fix unnecessary API calls during secret updates::
Before this update, when a new secret was created or updated in any namespace, Alertmanager was reconciling even if that secret was not referred in the `AlertmanagerConfig` resource. As a consequence, the Prometheus Operator generated excessive API calls, causing increased CPU usage on control plane nodes. With this release, Alertmanager only reconciles secrets that the `AlertmanagerConfig` resource explicitly references.
+
link:https://issues.redhat.com/browse/OCPBUGS-56158[OCPBUGS-56158]

Show
Fix unnecessary API calls during secret updates:: Before this update, when a new secret was created or updated in any namespace, Alertmanager was reconciling even if that secret was not referred in the `AlertmanagerConfig` resource. As a consequence, the Prometheus Operator generated excessive API calls, causing increased CPU usage on control plane nodes. With this release, Alertmanager only reconciles secrets that the `AlertmanagerConfig` resource explicitly references. + link: https://issues.redhat.com/browse/OCPBUGS-56158 [ OCPBUGS-56158 ]

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem

In the cluster audit logs, the customer is observing that over a 24h window, there are over 3.6 million GET requests for a certain Secret from "system:serviceaccount:openshift-user-workload-monitoring:prometheus-operator". This roughly translates into 500 GET requests every 30 seconds.

In parallel we can see regular "sync alertmanager" messages in the logs around every 30 seconds, but we are not sure this is related:

level=info ts=2025-05-12T12:49:21.739161413Z caller=operator.go:572 component=alertmanager-controller key=openshift-user-workload-monitoring/user-workload msg="sync alertmanager"
level=info ts=2025-05-12T12:49:25.785042318Z caller=operator.go:471 component=thanos-controller key=openshift-user-workload-monitoring/user-workload msg="sync thanos-ruler"
level=info ts=2025-05-12T12:50:04.752668355Z caller=operator.go:572 component=alertmanager-controller key=openshift-user-workload-monitoring/user-workload msg="sync alertmanager"
level=info ts=2025-05-12T12:50:49.552780038Z caller=operator.go:572 component=alertmanager-controller key=openshift-user-workload-monitoring/user-workload msg="sync alertmanager"
level=info ts=2025-05-12T12:51:23.461977084Z caller=operator.go:572 component=alertmanager-controller key=openshift-user-workload-monitoring/user-workload msg="sync alertmanager"

Describe the impact to you or the business

There is significant load placed on the Kubernetes API by the User Workload Monitoring Prometheus Operator, requiring the customer to assign more CPU than expected to the Master Nodes.

Version-Release number of selected component (if applicable)

OCP 4.16.36

How reproducible

Constant on the customer cluster

Steps to Reproduce

1. Enable User Workload Monitoring
2. Enable user-defined AlertmanagerConfig, reference a Secret in the configuration
3. Observe the API audit logs

Actual results

Observe that for each AlertmanagerConfig there are a lot of API GET request for referenced Secrets

Expected results

Only a limited amount of GET requests are made to the Kubernetes API

Additional info

Logs and inspect files are available in the attached Support Case

duplicates

OCPBUGS-27344 prometheus-operator triggering too many "updates"

Closed

is blocked by

OCPBUGS-61113 Excessive API calls by prometheus-operator ServiceAccount

Verified

links to

openshift/cluster-monitoring-operator#2652: OCPBUGS-56158: Bump prometheus-operator to v0.85.0

openshift/cluster-monitoring-operator#2657: OCPBUGS-56158: add flag `--watch-referenced-objects-in-all-namespaces` to prometheus-operator

openshift/prometheus-operator#338: OCPBUGS-56158: Bump openshift/prometheus-operator to v0.85.0

Assignee:: Jayapriya Pai

Reporter:: Simon Krenger

Need Info From:: None

Contributors:: None

QA Contact:: Junqi Zhao

Doc Contact:: Eliska Romanova

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2025/05/14 6:39 AM

Updated:: 2025/10/08 9:58 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates