Feat/delete os pod

[alvlkov]

What type of PR is this?

This adds a new managed script to delete a pod from Openshift's reserved namespace.

What this PR does / Why we need it?

This will help fixing errors related to openshift reserved namespaces, essentially when pod restart is required.

Which Jira/Github issue(s) does this PR fix?

OSD_20528

Special notes for your reviewer

Pre-checks (if applicable)

• Validated the changes in a ROSA stage cluster
• Included documentation changes with PR

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alvlkov
Once this PR has been reviewed and has the lgtm label, please assign wanghaoran1988 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[alvlkov]

/remove-lifecycle stale

[iamkirkbater]

Requested change relates to the name of the script. The additional check for a replicaset would be more of a nice-to-have, but we can also add that after this is merged so that we can start using this sooner rather than later.

[iamkirkbater]

Can we simplify this to just be delete-pod instead of adding the delete-os-pod? From a UX perspective, it will be easier to remember the closer the syntax name is to the actual OC command.

[iamkirkbater]

Would it be a huge lift here to validate if a pod is owned by a replicaset before proceeding? We might also need to add a "force" flag/parameter to bypass that as well, but it might be a nice protection for the rare chance that a pod isn't managed in an openshift namespace, this way we can make sure it will come back as a default behavior, but have the option to bypass it if we need to.

[iamkirkbater]

Suggested change

	- SREP
	- SREP
	- MCSTierTwo

[alvlkov]

added the suggestions, thanks @iamkirkbater

[feichashao]

Thanks @iamkirkbater for the review!

I would suggest we add the safeguard in this PR to validate if a pod is backed by a replicaset, otherwise the delete operation can be too wide.
The protection can be "we are not making the situation worse":

• If we are deleting a non-healthy pod, go ahead and delete it.
• If we are deleting a healthy pod,
  • If it is the only healthy pod in the replicaset, stop, raise a ticket and review it.
  • If there's another healthy pod besides the one we are going to delete, it is ok to delete.

Another nice-to-have is that we put a list of allowed namespace instead of openshift-*. This sound like a toil but it give us an opportunity to review if we want to allow the deletion when a new namespace comes. (can be next PR for this one).

[iamkirkbater]

@feichashao - a few questions:

1. Can you expand on what you mean by "non-healthy" pod? If we're asking for this in this PR I'd like to be explicit to what we are looking for. For example, if we just mean a "healthy" pod is one in a "Running" state, vs non-healthy which would be "Error", "Completed", "Pending" - etc.
2. What specifically do you mean by raise a ticket - Do you mean like a JIRA here? Or would exiting out with an Error (if there's not a FORCE parameter set) work here?
3. For the list of allowed namespaces - one thing I'd like to keep in mind here is that CEE/MCS have a wider scope of what they support than SREP does. While SREP may only limit ourselves to specific managed namespaces, CEE/MCS will be supporting additional things like openshift-virtualization, etc. So limiting them to managed namespaces may not be as efficient as we think it might be.

[feichashao]

Can you expand on what you mean by "non-healthy" pod? If we're asking for this in this PR I'd like to be explicit to what we are looking for. For example, if we just mean a "healthy" pod is one in a "Running" state, vs non-healthy which would be "Error", "Completed", "Pending" - etc.

I would say Healthy = A pod with all containers in running state; The other should be non-healthy, eg, pending, crashloopbackoff, pod in running state but not all containers are running, showing like:

kube-apiserver-ip-10-119-135-4.ec2.internal           4/5     Running 

(I mocked this)

[alvlkov]

Added replicaset check and --force flag.

• - Successfully deleted pod owned by replicaset regardless --force flag
• - Couldn't delete a pod not owned by a replicaset without --force flag
• - Successfully deleted pod not owned by replicaset with --force flag

[alvlkov]

/retest

[typeid]

This is valid for all namespaces. There's no limitation to from openshift's reserved namespace. as mentioned above.

This permission extends beyond the scope even SRE-P has.

[alvlkov]

The above limitation applies to the NAMESPACE parameter, to avoid deleting Openshift related pods. AFAIK I cant scope namespaces within clusterRoleRules. Please elaborate about the suggestion.

[typeid]

/retest

[openshift-ci]

@alvlkov: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[typeid]

/lgtm

[typeid]

Code LGTM. Pending approval from compliance: https://issues.redhat.com/browse/HCMSEC-611

[typeid]

/hold for compliance approve

[typeid]

/unhold

Merging this as we have not received any feedback from compliance. This does not provide read access to customer data so I'm okay just stamping this off.

[typeid]

/retest

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale