[RELEASE-1.25][SRVCOM-1857] Upgrade unavailable/deprecated K8s APIs

[skonto]

Proposed Changes

• Similar to Add DowngradePodDisruptionBudget to modify API version of PodDisruptionBudget #1571 but extending it more and no need to modify existing manifests (just an alternative).

• If we are on 1.24+ (we want to avoid warnings on 4.11 too):

  a) upgrade: PodDisruptionBudget and HPA (the real problem for the latter will be on 1.26 but let's update anyway to avoid warnings)

  b) in Eventing tests use the latest CronJob

• This will allow 1.25 to install on 4.12 and then users can upgrade to 1.26 to move further to 4.13 (1.26). In 1.26 we will need to fix HPA also at the Serving branches 1.5+, otherwise autoscaler-hpa will fail too.

• Without this when we run on 1.25 (4.12) we will get the following (tested upstream operator on minikube since we don't have yet OCP 4.12 with K8s 1.25, see discussion):

$ kubectl get pods -n knative-eventing
NAME                                  READY   STATUS    RESTARTS   AGE
eventing-controller-596fbfcd7-hcsgp   1/1     Running   0          13m

$ kubectl get KnativeEventing knative-eventing -n knative-eventing -oyaml
apiVersion: operator.knative.dev/v1beta1
kind: KnativeEventing
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"operator.knative.dev/v1beta1","kind":"KnativeEventing","metadata":{"annotations":{},"name":"knative-eventing","namespace":"knative-eventing"}}
  creationTimestamp: "2022-09-17T21:46:05Z"
  finalizers:
  - knativeeventings.operator.knative.dev
  generation: 1
  name: knative-eventing
  namespace: knative-eventing
  resourceVersion: "1597"
  uid: f27a2183-3dcd-456e-82eb-0438d7acb028
status:
  conditions:
  - lastTransitionTime: "2022-09-17T21:46:05Z"
    status: Unknown
    type: DependenciesInstalled
  - lastTransitionTime: "2022-09-17T21:46:05Z"
    status: Unknown
    type: DeploymentsAvailable
  - lastTransitionTime: "2022-09-17T21:46:22Z"
    message: 'Install failed with message: no matches for kind "PodDisruptionBudget"
      in version "policy/v1beta1"'
    reason: Error
    status: "False"
    type: InstallSucceeded
  - lastTransitionTime: "2022-09-17T21:46:22Z"
    message: 'Install failed with message: no matches for kind "PodDisruptionBudget"
      in version "policy/v1beta1"'
    reason: Error
    status: "False"
    type: Ready
  - lastTransitionTime: "2022-09-17T21:46:05Z"
    status: "True"
    type: VersionMigrationEligible
  observedGeneration: 1

$ oc logs knative-operator-5db994494f-kbk6r | grep error
...
  {"severity":"ERROR","timestamp":"2022-09-17T21:49:18.03001213Z","logger":"knative-operator","caller":"controller/controller.go:566","message":"Reconcile error","knative.dev/pod":"knative-operator-5db994494f-kbk6r","knative.dev/controller":"knative.dev.operator.pkg.reconciler.knativeeventing.Reconciler","knative.dev/kind":"operator.knative.dev.KnativeEventing","knative.dev/traceid":"cf787e6f-0b08-4149-8da4-7157008a5f5e","knative.dev/key":"knative-eventing/knative-eventing","duration":"8.937510645s","error":"failed to apply non rbac manifest: no matches for kind \"PodDisruptionBudget\" in version \"policy/v1beta1\"","stacktrace":"knative.dev/pkg/controller.(*Impl).handleErr\n\tknative.dev/pkg@v0.0.0-20220601013938-bac16f2394ce/controller/controller.go:566\nknative.dev/pkg/controller.(*Impl).processNextWorkItem\n\tknative.dev/pkg@v0.0.0-20220601013938-bac16f2394ce/controller/controller.go:543\nknative.dev/pkg/controller.(*Impl).RunContext.func3\n\tknative.dev/pkg@v0.0.0-20220601013938-bac16f2394ce/controller/controller.go:491"}

• Will cherry-pick for main
• Fix podsecuritypolicy issue, set appropriate sec context based on https://connect.redhat.com/en/blog/important-openshift-changes-pod-security-standards. To test this follow instructions here: https://gist.github.com/skonto/5c9a3dea15251da263d6ecd5e1f508b6.
  We don't cover:
  "jaeger"
  "opentelemetry-operator-controller-manager"
  "strimzi-cluster-operator"
• When istio mesh is used the right context is inject for the istio side car via OCP, check for example.

[matzew]

the requirement is a little hard to understand.
Can we perhaps link to its definition?

[skonto]

Yeah will do it is a relic of the past.

[skonto]

This is required due to double vendoring for controller runtime and go client.

[skonto]

Using all will not work. Warnings still appear. Need capital letters for capabilities.

[skonto]

Afaik this is available since 1.19 so we should not have issues on previous versions.

[skonto]

Unfortunately on 4.6 you need special handling: https://docs.openshift.com/container-platform/4.6/security/seccomp-profiles.html

[skonto]

Picking 1.24 instead of 1.25 here to avoid warnings 4.11 and a scenario where restricted policy is enforced.

[pierDipi]

Eventing needs stateful set support as well.

I can log an issue and I can follow up if you don't want to do it in this PR.

[skonto]

Yeah I can do it.

[skonto]

Btw I dont see any manifests with StatefulSet.Could you point me to them? Didn't see them in audit reports.

[pierDipi]

they are coming in a future release, I thought this will land on main first.

[skonto]

Oh ok wanted to unblock testing that is why I did it on 1.25 first.

[pierDipi]

In the other case, should we try to do the opposite (downgrading)?

[skonto]

I mentioned in the description that this is an alternative. I see upgrading easier because otherwise we will have to patch 1.4 midstream branches (more work). Does not make sense to only patch the downloaded manifests in S-O repo you have to fix the mid stream ones too to be consistent. We can downgrade on main if that works better but dont see any benefits.

[pierDipi]

When a manifest is at v1 (upgraded version) but the k8s version doesn't understand v1 because it was introduced in a future release.

[skonto]

Yes if we have midstream manifests that are already upgraded yes. Do we have any? For Serving we might have in future branches eg 1.5+. But that is a concern for the main patch I guess.

[skonto]

Two timeouts for not getting a claim another infra failure :(

[skonto]

/retest

[skonto]

infra issues.

: Run multi-stage test operator-e2e-aws-ocp-411 expand_less | 1h0m0s
-- | --
{  failed to wait for the created cluster claim to become ready: timed out waiting for the condition}

level=error
level=error
level=fatal msg="failed to fetch Cluster: failed to generate asset \"Cluster\": failed to create cluster: failed to apply Terraform: failed to complete the change"

[skonto]

/retest

[skonto]

Ok need to avoid setting it for 4.6, I accidentally set it for kube-rbac-proxy always by default. Will fix shortly.

                    {
                        "lastTransitionTime": "2022-09-19T13:42:53Z",
                        "lastUpdateTime": "2022-09-19T13:42:53Z",
                        "message": "pods \"activator-66947549dc-lq4vg\" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/kube-rbac-proxy: Forbidden: seccomp may not be set]",
                        "reason": "FailedCreate",
                        "status": "True",
                        "type": "ReplicaFailure"
                    },

[skonto]

/retest

[skonto]

/retest

[skonto]

/retest

[skonto]

/retest

[skonto]

Error from server: etcdserver: request timed out

/retest

[skonto]

@matzew @pierDipi I think we can stamp it.

[matzew]

/test 4.6-upstream-e2e-mesh-aws-ocp-46

[matzew]

@matzew @pierDipi I think we can stamp it.

I am positive too, I have seen 4.6 infra (cluster pool) issues before on my others. 4.11 works fine...

I gave it one more retry

[matzew]

INFO[2022-09-20T06:26:35Z] Releasing cluster claims for test upstream-e2e-mesh-aws-ocp-46 

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: matzew, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [matzew,skonto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[matzew]

Should we see if we can land those on upstream? Or directly on midstream first ?

[skonto]

For 1.26 yes that is also the goal for 1.25 we want to move fast. That is why I didnt start with main branch.
Upstream there is a ticket for fixing stuff for 1.8 let's see what we can port back.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 75853f5 and 2 for PR HEAD 0f22fbd in total

[matzew]

@skonto

Is this known, or infra (b/c of timeout)?:

    service.go:55: Error creating ksvc: Post "https://api.ci-ocp-4-11-amd64-aws-us-east-1-kmznv.hive.aws.ci.openshift.org:6443/apis/serving.knative.dev/v1/namespaces/serverless-tests/services": dial tcp: lookup api.ci-ocp-4-11-amd64-aws-us-east-1-kmznv.hive.aws.ci.openshift.org on 172.30.0.10:53: read udp 10.130.128.78:36372->172.30.0.10:53: i/o timeout

[skonto]

It is infra afaik, cluster access times out occasionally.

[openshift-ci]

@skonto: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.6-upstream-e2e-mesh-aws-ocp-46	0f22fbd	link	false	/test 4.6-upstream-e2e-mesh-aws-ocp-46
ci/prow/4.11-operator-e2e-aws-ocp-411	0f22fbd	link	true	/test 4.11-operator-e2e-aws-ocp-411

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[skonto]

/retest