StarlingX

After creating the service-parameter, the policies are not getting created in kube-apiserver process

Bug #1993842 reported by Jorge Saffe
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Jorge Saffe

Bug Description

Brief Description
------------------
After creating the service-parameter, the policies are not getting created in kube-apiserver process

Severity
---------
Major

Steps to Reproduce
-------------------
1. Create k8s service parameter admission_plugins="PodSecurityPolicy"
2. service-parameter-apply kubernetes
3. Waiting for config-out-of-date alarms to clear
4. Verify PodSecurityPolicy added to the kube-apiserver process

Expected Behavior
------------------
enable-admission-plugins set on kube-apiserver pod after run "system service-parameter-apply kubernetes"
--enable-admission-plugins=NodeRestriction,PodSecurityPolicy

Actual Behavior
---------------
enable-admission-plugins not present on kube-apiserver pod params after run "system service-parameter-apply kubernetes"

Reproducibility
-----------------
Reproducible

OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/862408
Committed: https://opendev.org/starlingx/stx-puppet/commit/7ac49b1684810aaafc8f0fd7934c16593a38b2d3
Submitter: "Zuul (22348)"
Branch: master

commit 7ac49b1684810aaafc8f0fd7934c16593a38b2d3
Author: Jorge Saffe <email address hidden>
Date: Fri Oct 21 15:37:16 2022 -0400

    Fix legacy service-parameter names integration in k8s custom

    The K8s control plane component configuration can be updated
    via service parameters. There are some service parameter
    names used in earlier versions (legacy) that are different
    from the current valid k8s parameter names, so a translation
    must be done for compatibility reasons. For example
    service-parameter name "admission_plugins" must be
    translated to "enable-admission-plugins"

    When the user uses legacy service parameter names to set k8s
    parameters, the updating script discards them wrongly
    during the cleanup step.

    The changes introduced move the translation of parameter
    names (to the accepted k8s format) after the parameters
    are loaded from hieradata.yaml, so the rest of the script
    is abstracted from the legacy service-parameter nomenclature.

    Test Plan:
    * CENTOS and DEBIAN distro:
      - Fresh Install with AIO-SX and DX/STD.
      - Add parameter with old service-parameter nomenclature.
      - Apply changes on kubernetes service.
      - Verify cluster health and configuration.

    Closes-Bug: 1993842
    Closes-Bug: 1993748

    Signed-off-by: Jorge Saffe <email address hidden>
    Change-Id: I0f789b3b8ce1052fa6be213dc63f5945a1efeb3d

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
tags: added: stx.8.0 stx.config stx.containers
Changed in starlingx:
importance: Undecided → Medium
assignee: nobody → Jorge Saffe (jsaffe)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.