Bug 1947797
Summary: | CVO: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Stefan Schimanski <sttts> |
Component: | Cluster Version Operator | Assignee: | Lalatendu Mohanty <lmohanty> |
Status: | CLOSED ERRATA | QA Contact: | Yang Yang <yanyang> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 4.8 | CC: | alegrand, anpicker, aos-bugs, erooth, hongyli, jack.ottofaro, jokerman, juzhao, kakkoyun, kewang, lcosic, lmohanty, mfojtik, pkrupa, surbania, wking, xxia, yanyang |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | 4.8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1947719 | Environment: | |
Last Closed: | 2021-07-27 22:58:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1947719 |
Description
Stefan Schimanski
2021-04-09 09:37:05 UTC
Checking a recent nightly: $ oc adm release extract --to manifests registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2021-04-09-222447 $ grep -r1 CustomResourceDef manifests/ | grep v1beta manifests/0000_80_machine-config-operator_01_machineconfigpool.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_80_machine-config-operator_01_machineconfig.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_80_machine-config-operator_01_kubeletconfig.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_80_machine-config-operator_01_containerruntimeconfig.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_consoleyamlsample.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_consolequickstart.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_consoleplugin.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_consolenotification.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_consolelink.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_consoleexternalloglink.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_consoleclidownload.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10-helm-chart-repository.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_samplesconfig.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_40_kube-storage-version-migrator-operator_01_storage_state_crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_40_kube-storage-version-migrator-operator_01_storage_migration_crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_config-operator_01_network.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_config-operator_01_ingress.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_config-operator_01_imagecontentsourcepolicy.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_config-operator_01_image.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_config-operator_01_dns.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_config-operator_01_console.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_10_config-operator_01_build.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_03_quota-openshift_01_clusterresourcequota.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_03_config-operator_01_operatorhub.crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 manifests/0000_50_cloud-credential-operator_00-crd.yaml-apiVersion: apiextensions.k8s.io/v1beta1 I'll spin off bugs about those folks bumping their CRD versions, although a number of them look like openshift/api CRDs... Verification steps, you can refer to https://bugzilla.redhat.com/show_bug.cgi?id=1947801#c4 We still need to bump the vendored API code in the CVO repo to pick up the change. Verified in 4.8.0-0.nightly-2021-06-01-002052: $ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'` $ for i in $MASTERS; do oc debug no/$i -- chroot /host bash -c "grep -hE '"'"k8s.io/removed-release":"[^"]+"'"' /var/log/kube-apiserver/audit*.log" ; done > all.log $ grep '"k8s.io/removed-release":"1.22"' all.log > 1.22.log $ jq -r '.user.username+": "+.requestURI' 1.22.log | sed 's/=[0-9][^&]*/=***/g' | sort | uniq -c | sort -n > 1.22.removed.apis $ cat 1.22.removed.apis 20 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/credentialsrequests.cloudcredential.openshift.io No v1beta1/customresourcedefinitions/clusteroperators.config.openshift.io and v1beta1/customresourcedefinitions/clusterversions.config.openshift.io now. For v1beta1/customresourcedefinitions/credentialsrequests.cloudcredential.openshift.io, will ask CCO QE to file another bug. Regression test on upgrade from 4.7.13 stable and 4.8 nightly 4.8.0-0.nightly-2021-06-01-002052 passed. 4.7.13 -> 4.8.0-0.nightly-2021-06-01-002052 passed 4.8.0-0.nightly-2021-05-27-123356 -> 4.8.0-0.nightly-2021-06-01-002052 passed Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |