Bug 1868801

Summary: check-endpoints should use minimal credentials
Product: OpenShift Container Platform Reporter: Luis Sanchez <sanchezl>
Component: kube-apiserverAssignee: Luis Sanchez <sanchezl>
Status: CLOSED ERRATA QA Contact: Ke Wang <kewang>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.6CC: aos-bugs, mfojtik, sttts, xxia
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:28:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luis Sanchez 2020-08-13 20:19:49 UTC 
check-endpoints tools is currently running using the credentials for the cert-syncer tool. It should use its own set of credentials.
Comment 3 Ke Wang 2020-09-16 03:47:39 UTC 
Verification as below,

$ oc version
Client Version: 4.6.0-202009040605.p0-f2a4a03
Server Version: 4.6.0-0.nightly-2020-09-15-063156
Kubernetes Version: v1.19.0+35ab7c5

$ oc get ClusterRole/system:openshift:controller:check-endpoints
NAME                                          CREATED AT
system:openshift:controller:check-endpoints   2020-09-15T11:53:20Z

$ oc get ClusterRoleBinding/system:openshift:controller:kube-apiserver-check-endpoints
NAME                                                         ROLE                                AGE
system:openshift:controller:kube-apiserver-check-endpoints   ClusterRole/system:auth-delegator   15h

$ oc get RoleBinding/system:openshift:controller:kube-apiserver-check-endpoints -n kube-system
NAME                                                         ROLE                                             AGE
system:openshift:controller:kube-apiserver-check-endpoints   Role/extension-apiserver-authentication-reader   15h

$ oc get RoleBinding/system:openshift:controller:check-endpoints -n openshift-kube-apiserver
NAME                                          ROLE                                                      AGE
system:openshift:controller:check-endpoints   ClusterRole/system:openshift:controller:check-endpoints   15h

$ oc get pod kube-apiserver-kewang1565-9n24f-master-0 -n openshift-kube-apiserver -oyaml | grep -C2 "check-endpoints-kubeconfig"
  - args:
    - --kubeconfig
    - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig
    - --listen
    - 0.0.0.0:17697
    
$ oc get configmap/check-endpoints-kubeconfig -n openshift-kube-apiserver -o yaml | grep -C1 "check-endpoints"
          cluster: loopback
          user: check-endpoints
        name: check-endpoints
    current-context: check-endpoints
    kind: Config
--
    users:
      - name: check-endpoints
        user:
          client-certificate: /etc/kubernetes/static-pod-certs/secrets/check-endpoints-client-cert-key/tls.crt
          client-key: /etc/kubernetes/static-pod-certs/secrets/check-endpoints-client-cert-key/tls.key
kind: ConfigMap
--
    time: "2020-09-15T11:53:24Z"
  name: check-endpoints-kubeconfig
  namespace: openshift-kube-apiserver
  resourceVersion: "5747"
  selfLink: /api/v1/namespaces/openshift-kube-apiserver/configmaps/check-endpoints-kubeconfig

All changes were applied on kube-apiserver as expected, move the bug verified.
Comment 5 errata-xmlrpc 2020-10-27 16:28:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196