Bug 1947791
Summary: | MCO: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Stefan Schimanski <sttts> |
Component: | Machine Config Operator | Assignee: | Sinny Kumari <skumari> |
Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 4.8 | CC: | alegrand, anpicker, aos-bugs, deads, erooth, hongyli, juzhao, kakkoyun, kewang, lcosic, mfojtik, pkrupa, skumari, surbania, xxia |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | 4.8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1947719 | Environment: | |
Last Closed: | 2021-07-27 22:58:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1947719 |
Description
Stefan Schimanski
2021-04-09 09:27:26 UTC
Also: system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/dnses.config.openshift.io ? The requests relate to this component of the BZ https://bugzilla.redhat.com/show_bug.cgi?id=1947785#c0 are gone for the given component, you won't see the related alert in web-console. Verification steps, you can refer to https://bugzilla.redhat.com/show_bug.cgi?id=1947801#c4 system:serviceaccount:openshift-machine-config-operator:node-bootstrapper accessed certificatesigningrequests.v1beta1.certificates.k8s.io Found in openshift CI *** Bug 1954771 has been marked as a duplicate of this bug. *** Set up a 4.8.0-0.nightly-2021-05-13-222446 env. Confirmed this payload already includes above machine-config-operator/pull/2572. $ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'` $ for i in $MASTERS; do echo "$i" oc debug no/$i -- chroot /host bash -c "grep -hE '"'"k8s.io/removed-release":"[^"]+"'"' /var/log/kube-apiserver/audit*.log" >> all.log done $ wc -l all.log 5412 all.log $ grep '"k8s.io/removed-release":"1.22"' all.log > 1.22.log $ jq -r '.user.username+": "+.requestURI' 1.22.log | grep machine-config | sed 's/=[1-9][^&]*/=***/g' | sort | uniq -c | sort -n 108 system:serviceaccount:openshift-machine-config-operator:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions?allowWatchBookmarks=true&labelSelector=openshift.io%2Foperator-managed%3D&resourceVersion=***&timeout=***&timeoutSeconds=***&watch=true 126 system:serviceaccount:openshift-cluster-version:default: /apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindings/default-account-openshift-machine-config-operator 414 system:serviceaccount:openshift-machine-config-operator:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/controllerconfigs.machineconfiguration.openshift.io Still deprecated API accesses related to MCO component. Sorry, I did not run `rm -f all.log` before using `>> all.log`, caused it included result of my older testing. Today retested latest 4.8.0-0.nightly-2021-05-15-141455 env with `rm -f all.log`, no MCO related accesses to deprecated APIs. Thank Xingxing for confirming! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |