Bug 1937466
Summary: | KubeClientCertificateExpiration alert is confusing, without explanation in the documentation | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Martin Bukatovic <mbukatov> | ||||
Component: | Monitoring | Assignee: | Sergiusz Urbaniak <surbania> | ||||
Status: | CLOSED ERRATA | QA Contact: | Junqi Zhao <juzhao> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 4.7 | CC: | alegrand, anpicker, aos-bugs, erooth, jokerman, kakkoyun, lcosic, pkrupa, spasquie, wking | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | 4.8.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | No Doc Update | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1950290 (view as bug list) | Environment: | |||||
Last Closed: | 2021-07-27 22:52:37 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1950290 | ||||||
Attachments: |
|
Description
Martin Bukatovic
2021-03-10 17:31:45 UTC
KubeClientCertificateExpiration alert is defined in: https://github.com/openshift/cluster-monitoring-operator/blob/master/assets/prometheus-k8s/rules.yaml Looks like it was dropped 10d ago [1] as part of bug 1923984. Maybe close this bug as a dup of that one, and start talking about whether we need backports? [1]: https://github.com/openshift/cluster-monitoring-operator/commit/1496d7fb66e3043ad21014509221bdf37fbb2eaf#diff-9a529e7399b36b3c02f816e864690cfad2559b40127f86268cc44c5dbce1277fR16 Thanks for referencing BZ 1923984. I agree that this bug can be closed now. *** This bug has been marked as a duplicate of bug 1923984 *** Additional details from aos-devel list https://mailman-int.corp.redhat.com/archives/aos-devel/2021-March/msg00161.html On 3/15/21 10:02 AM, Simon Pasquier wrote: > Yeah, Burr mentioned the same issue a few weeks ago. The alert tells > us that someone uses a soon-to-expired client certificate but > unfortunately it can't surface which client (and it can be anything: > kubelet, operators, user workloads). A cluster admin would have to go > through the API logs to find out exactly the client details. > > We've discussed removing the alert upstream [1] because we considered > that the alert isn't really actionable but we didn't reach a > consensus. Instead we've removed the alert from the cluster-monitoring > operator (starting 4.8). FWIW we still have alerts in place if > kubelets can't renew their certificates. > > [1] https://github.com/kubernetes-monitoring/kubernetes-mixin/pull/550 tested with 4.8.0-0.nightly-2021-04-18-101412, KubeClientCertificateExpiration rule is removed Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |