Bug 1954765

Summary: CCO: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert
Product: OpenShift Container Platform Reporter: David Eads <deads>
Component: Cloud Credential OperatorAssignee: Joel Diaz <jdiaz>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: high Docs Contact:
Priority: high    
Version: 4.8CC: arane, jdiaz, lwan, sttts, xxia
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1958492 (view as bug list) Environment:
Last Closed: 2021-07-27 23:04:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1947719, 1958492    

Description David Eads 2021-04-28 18:23:14 UTC 
//user/system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator accessed mutatingwebhookconfigurations.v1beta1.admissionregistration.k8s.io 60 times

found in https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/26104/pull-ci-openshift-origin-master-e2e-aws-disruptive/1386733471304519680
Comment 1 David Eads 2021-04-28 18:24:06 UTC 
This blocks upgrade to 4.9, because when the kube-apiserver upgrades to 4.9, the endpoint used by the cloud-credential operator in 4.8 (kube-apiserver upgrades first) will stop functioning.
Comment 4 wang lin 2021-05-07 02:20:34 UTC 
Hi Joel, 
  I can see podidentity no longer access mutatingwebhookconfigurations.v1beta1.admissionregistration.k8s.io, but I see another api call to certificatesigningrequests.v1beta1.certificates.k8s.io, does this need to be fixed by us?



user/system:serviceaccount:openshift-cloud-credential-operator:pod-identity-webhook accessed certificatesigningrequests.v1beta1.certificates.k8s.io 23 times

found in https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/26104/pull-ci-openshift-origin-master-e2e-aws-disruptive/1390344110019186688
Comment 5 Stefan Schimanski 2021-05-07 10:32:43 UTC 
Still seing

  user/system:serviceaccount:openshift-cloud-credential-operator:pod-identity-webhook accessed certificatesigningrequests.v1beta1.certificates.k8s.io 13 times

in [sig-arch][Late] clients should not use APIs that are removed in upcoming releases [Suite:openshift/conformance/parallel].
Comment 6 Joel Diaz 2021-05-07 16:36:14 UTC 
@lwan let's open a new BZ for the certificatesigningrequests v1beta1. The fix for that is in another repo.
Comment 7 wang lin 2021-05-08 08:19:33 UTC 
Filed a new one : https://bugzilla.redhat.com/show_bug.cgi?id=1958492 , move this one to Verified.
Comment 10 errata-xmlrpc 2021-07-27 23:04:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438