Bug 1862426

Summary: gather the audit logs for oauth apiserver
Product: OpenShift Container Platform Reporter: Lukasz Szaszkiewicz <lszaszki>
Component: ocAssignee: Luis Sanchez <sanchezl>
Status: CLOSED ERRATA QA Contact: RamaKasturi <knarra>
Severity: high Docs Contact:
Priority: high    
Version: 4.6CC: aos-bugs, jokerman, knarra, maszulik, mfojtik, sttts, xxia
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:21:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukasz Szaszkiewicz 2020-07-31 12:19:08 UTC 
I have already opened https://github.com/openshift/must-gather/pull/164 but it's not clear whether it's the desired direction.

Thus I decided to create this BZ as a reminder for us.
Comment 1 Eric Rich 2020-08-01 13:40:35 UTC 
https://github.com/openshift/must-gather/pull/144/files tracks the direction we want to take.
Comment 2 Maciej Szulik 2020-08-11 14:26:43 UTC 
*** Bug 1867903 has been marked as a duplicate of this bug. ***
Comment 6 RamaKasturi 2020-08-27 12:49:17 UTC 
Tried verifying on openshift-client-linux-4.6.0-0.nightly-2020-08-27-005538, but did not find oauth apiserver logs, will check again on monday

[ramakasturinarra@dhcp35-60 ~]$ /home/ramakasturinarra/Downloads/openshift-client-linux-4.6.0-0.nightly-2020-08-27-005538/oc version -o yaml
clientVersion:
  buildDate: "2020-08-26T20:41:40Z"
  compiler: gc
  gitCommit: 931d20f944565ad2eadea9afecddbe657e164267
  gitTreeState: clean
  gitVersion: openshift-clients-4.6.0-202006250705.p0-90-g931d20f94
  goVersion: go1.14.4
  major: ""
  minor: ""
  platform: linux/amd64
openshiftVersion: 4.6.0-0.nightly-2020-08-27-005538
releaseClientVersion: 4.6.0-0.nightly-2020-08-27-005538
serverVersion:
  buildDate: "2020-08-26T13:26:15Z"
  compiler: gc
  gitCommit: f71a7ab366cffe1f76b48f2959de47bc71053c4f
  gitTreeState: dirty
  gitVersion: v1.19.0-rc.2+f71a7ab-dirty
  goVersion: go1.14.4
  major: "1"
  minor: 19+
  platform: linux/amd64
Comment 7 RamaKasturi 2020-08-31 13:40:58 UTC 
could not verify this issue today as there is no Accepted build for 4.6 from last friday
Comment 8 Lukasz Szaszkiewicz 2020-09-01 11:09:56 UTC 
@Rama for your information, I have noticed that a few new 4.6 images were accepted today.
Comment 9 Maciej Szulik 2020-09-02 09:19:44 UTC 
I see the actual PR adding that capability is still in queue: https://github.com/openshift/must-gather/pull/144
moving back to POST.
Comment 11 RamaKasturi 2020-09-25 13:12:46 UTC 
Verified bug with the payload below and i see the oauth-apiserver logs are being collected when run oc adm must-gather --/usr/bin/gather_audit_logs

[ramakasturinarra@dhcp35-60 openshift-client-linux-4.6.0-0.nightly-2020-09-25-014731]$ ./oc version -o yaml
clientVersion:
  buildDate: "2020-09-24T05:59:06Z"
  compiler: gc
  gitCommit: 61364f0509c577eebb26e4377c190623a38aba12
  gitTreeState: clean
  gitVersion: openshift-clients-4.6.0-202006250705.p0-150-g61364f050
  goVersion: go1.14.4
  major: ""
  minor: ""
  platform: linux/amd64
openshiftVersion: 4.6.0-0.nightly-2020-09-25-014731
releaseClientVersion: 4.6.0-0.nightly-2020-09-25-014731
serverVersion:
  buildDate: "2020-09-24T13:29:40Z"
  compiler: gc
  gitCommit: 359dd790a64aa35b626a6a081abddd7db9e2dd37
  gitTreeState: clean
  gitVersion: v1.19.0+359dd79
  goVersion: go1.15.0
  major: "1"
  minor: "19"
  platform: linux/amd64

[ramakasturinarra@dhcp35-60 quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-33485bb4fd1f7c442f3d95f7326d8a84ea0f450d10c4268f488b0a44fedd3a72]$ cd audit_logs/
[ramakasturinarra@dhcp35-60 audit_logs]$ ls -l
total 24
drwxr-xr-x. 2 ramakasturinarra ramakasturinarra 4096 Sep 25 18:13 kube-apiserver
-rw-r--r--. 1 ramakasturinarra ramakasturinarra 2353 Sep 25 18:10 kube-apiserver.audit_logs_listing
drwxr-xr-x. 2 ramakasturinarra ramakasturinarra 4096 Sep 25 18:15 oauth-apiserver
-rw-r--r--. 1 ramakasturinarra ramakasturinarra  174 Sep 25 18:10 oauth-apiserver.audit_logs_listing
drwxr-xr-x. 2 ramakasturinarra ramakasturinarra 4096 Sep 25 18:13 openshift-apiserver
-rw-r--r--. 1 ramakasturinarra ramakasturinarra  174 Sep 25 18:10 openshift-apiserver.audit_logs_listing
[ramakasturinarra@dhcp35-60 audit_logs]$ cd oauth-apiserver/
[ramakasturinarra@dhcp35-60 oauth-apiserver]$ ls -l
total 6836
-rw-r--r--. 1 ramakasturinarra ramakasturinarra 6331410 Sep 25 18:11 ip-10-0-155-142.ap-northeast-1.compute.internal-audit.log
-rw-r--r--. 1 ramakasturinarra ramakasturinarra  328199 Sep 25 18:11 ip-10-0-187-116.ap-northeast-1.compute.internal-audit.log.gz
-rw-r--r--. 1 ramakasturinarra ramakasturinarra  335209 Sep 25 18:11 ip-10-0-195-170.ap-northeast-1.compute.internal-audit.log.gz


Based on the above moving the bug to verified state.
Comment 13 errata-xmlrpc 2020-10-27 16:21:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196