Bug 1801415
| Summary: | ingress-to-route controller uses deprecated extensions/v1beta1 API | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Miciah Dashiel Butler Masters <mmasters> |
| Component: | Networking | Assignee: | Dan Mace <dmace> |
| Networking sub component: | router | QA Contact: | Arvind iyengar <aiyengar> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | aiyengar, aos-bugs |
| Version: | 4.4 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.5.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: The ingress-to-route controller used the ingresses resource from the extensions/v1beta1 API group. Using the ingresses resource from this API group was deprecated in Kubernetes 1.18.
Consequence: The ingress-to-route controller was using a deprecated API.
Fix: The ingress-to-route controller was updated to use the ingresses resource from the networking.k8s.io/v1beta1 API group.
Result: The ingress-to-route controller no longer uses the deprecated ingress API.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-07-13 17:14:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Miciah Dashiel Butler Masters
2020-02-10 20:15:27 UTC
Pretty sure we can defer this to 4.5 (Kube 1.18). Please correct me if I'm wrong. The fix after merge originally made into "4.5.0-0.nightly-2020-04-29-223453" release version. At the time of writing, the functionality has been verified in "4.5.0-0.nightly-2020-05-06-003431" release:
----
Server Version: 4.5.0-0.nightly-2020-05-06-003431
Kubernetes Version: v1.18.0-rc.1
----
we note that the openshift-controller-manager uses the new "networking.k8s.io" API group and there are no requests with the "openshift-controller-manager-sa" service account for the "ingresses" resource with the "extensions/v1beta1" API group.
Excerpts from extracted audit logs:
-------
$ zcat must-gather.local.2085467479204652461/quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-53cc66fe93fcee37285748f191975eccc56ac244f225613432e1a5d50c67d940/audit_logs/kube-apiserver/ip-10-0-1* | grep -i "openshift-controller-manager-sa" | grep -i "extensions.v1beta1" | jq .
$
$ zcat must-gather.local.2085467479204652461/quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-53cc66fe93fcee37285748f191975eccc56ac244f225613432e1a5d50c67d940/audit_logs/kube-apiserver/ip-10-0-1* | grep -i "openshift-controller-manager-sa" | grep -i "networking.k8s.io" | jq .
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "f80bd200-0d9e-403a-b1d3-96498e1739ed",
"stage": "ResponseStarted",
"requestURI": "/apis/networking.k8s.io/v1beta1/ingresses?allowWatchBookmarks=true&resourceVersion=14761&timeout=6m26s&timeoutSeconds=386&watch=true",
"verb": "watch",
"user": {
"username": "system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa",
"uid": "1f41728b-2a60-4919-96b8-282a93011290",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:openshift-controller-manager",
"system:authenticated"
]
},
"sourceIPs": [
"10.0.147.111"
],
"userAgent": "openshift-controller-manager/v0.0.0 (linux/amd64) kubernetes/$Format",
"objectRef": {
"resource": "ingresses",
"apiGroup": "networking.k8s.io",
"apiVersion": "v1beta1"
},
"responseStatus": {
"metadata": {},
"status": "Success",
"message": "Connection closed early",
"code": 200
},
"requestReceivedTimestamp": "2020-05-07T06:00:43.629867Z",
"stageTimestamp": "2020-05-07T06:00:43.660092Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-controller-manager\" of ClusterRole \"system:openshift:openshift-controller-manager\" to ServiceAccount \"openshift-controller-manager-sa/openshift-controller-manager\""
}
}
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "f80bd200-0d9e-403a-b1d3-96498e1739ed",
"stage": "ResponseComplete",
"requestURI": "/apis/networking.k8s.io/v1beta1/ingresses?allowWatchBookmarks=true&resourceVersion=14761&timeout=6m26s&timeoutSeconds=386&watch=true",
"verb": "watch",
"user": {
"username": "system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa",
"uid": "1f41728b-2a60-4919-96b8-282a93011290",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:openshift-controller-manager",
"system:authenticated"
]
},
"sourceIPs": [
"10.0.147.111"
],
"userAgent": "openshift-controller-manager/v0.0.0 (linux/amd64) kubernetes/$Format",
"objectRef": {
"resource": "ingresses",
"apiGroup": "networking.k8s.io",
"apiVersion": "v1beta1"
},
"responseStatus": {
"metadata": {},
"status": "Success",
"message": "Connection closed early",
"code": 200
},
"requestReceivedTimestamp": "2020-05-07T06:00:43.629867Z",
"stageTimestamp": "2020-05-07T06:00:43.660157Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-controller-manager\" of ClusterRole \"system:openshift:openshift-controller-manager\" to ServiceAccount \"openshift-controller-manager-sa/openshift-controller-manager\""
}
}
-------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |