Skip to content

Bug 1946479: prevent pod deployment deadlock due to custom SA projected volume injection #585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 1 commit into from
Jun 8, 2021
Merged

Bug 1946479: prevent pod deployment deadlock due to custom SA projected volume injection #585

openshift-merge-robot merged 1 commit into from
Jun 8, 2021
+25 −0

Conversation

@stlaz
Copy link
Contributor

@stlaz stlaz commented Jun 8, 2021

In an upgrade scenario:

  1. a kube apiserver updates, any pod request that passes its admission
    is injected with SA projected volume
  2. OpenShift adds a configMap "openshift-service-ca.crt" among the
    volume sources to the projected volume
  3. Any pod that gets created now will be stuck until an updated
    version of KCM gets started
  4. If CVO pod gets deleted at this point, the whole upgrade might
    get stuck

Prevent the deadlock by manually configuring the projected volume.
This can be removed in 4.9 when even the older KCM contains the code
creating the openshift-service-ca.crt CMs.

@stlaz
prevent pod deployment deadlock due to custom SA projected volume inj…
9bde7bb 
…ection

In an upgrade scenario:
1. a kube apiserver updates, any pod request that passes its admission
   is injected with SA projected volume
2. OpenShift adds a configMap "openshift-service-ca.crt" among the
   volume sources to the projected volume
3. Any pod that gets created now will be stuck until an updated
   version of KCM gets started
4. If CVO pod gets deleted at this point, the whole upgrade might
   get stuck

Prevent the deadlock by manually configuring the projected volume.
This can be removed in 4.9 when even the older KCM contains the code
creating the openshift-service-ca.crt CMs.
@openshift-ci openshift-ci bot added bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Jun 8, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 8, 2021

@stlaz: This pull request references Bugzilla bug 1946479, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.8.0) matches configured target release for branch (4.8.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @wangke19

Details

In response to this:

Bug 1946479: prevent pod deployment deadlock due to custom SA projected volume injection

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot requested review from jottofar, wangke19 and wking June 8, 2021 13:25
@openshift-ci openshift-ci bot mentioned this pull request Jun 8, 2021
Merged
wking
wking approved these changes Jun 8, 2021
View reviewed changes
Copy link
Member

@wking wking left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 8, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 8, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stlaz, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 8, 2021
@openshift-bot
Copy link
Contributor

openshift-bot commented Jun 8, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@sdodson
Copy link
Member

sdodson commented Jun 8, 2021

@stlaz Does this projection rely on features of either a 4.7 or 4.8 kubelet? Just asking in case this is something that would inhibit a 4.6 kubelet from working properly with a 4.8 cluster.

@stlaz
Copy link
Contributor Author

stlaz commented Jun 8, 2021
edited
Loading

This relies solely on features from a 4.8 kube-controller-manager and kube-apiserver, kubelet is not involved.

edit: no new features in kubelet are involved

@openshift-merge-robot openshift-merge-robot merged commit 34efdc4 into openshift:master Jun 8, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 8, 2021

@stlaz: Some pull requests linked via external trackers have merged:

The following pull requests linked via external trackers have not merged:

These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Once unlinked, request a bug refresh with /bugzilla refresh.

Bugzilla bug 1946479 has not been moved to the MODIFIED state.

Details

In response to this:

Bug 1946479: prevent pod deployment deadlock due to custom SA projected volume injection

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak
Copy link
Contributor

s-urbaniak commented Jun 9, 2021

xref openshift/kubernetes#714

@openshift-ci openshift-ci bot mentioned this pull request Jun 10, 2021
Merged
wking added a commit to wking/cluster-version-operator that referenced this pull request Jun 14, 2021
@wking
Revert "prevent pod deployment deadlock due to custom SA projected vo…
879386d 
…lume injection"

This reverts commit 9bde7bb, openshift#585.

It was a temporary workaround in 4.8 to bridge a gap between
Kube-API-server and Kube-controller-manager during 4.7 -> 4.8
updates. Once the cluster has reconciled 4.8, we will no longer need
the crutch.  And 4.8 has now forked off master, so we can revert now,
and that revert will go out in 4.9.
@wking wking mentioned this pull request Jun 14, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wking wking wking approved these changes

@wangke19 wangke19 Awaiting requested review from wangke19

@jottofar jottofar Awaiting requested review from jottofar

Assignees

@wking wking

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@stlaz @openshift-bot @sdodson @s-urbaniak @wking @openshift-merge-robot