Bug 1954768

Summary: baremetal-operator: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert
Product: OpenShift Container Platform Reporter: David Eads <deads>
Component: Bare Metal Hardware ProvisioningAssignee: Angus Salkeld <asalkeld>
Bare Metal Hardware Provisioning sub component: cluster-baremetal-operator QA Contact: Ori Michaeli <omichael>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aos-bugs, asalkeld, beth.white, rbartal, xxia
Version: 4.8Keywords: Triaged
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:04:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1947719    

Description David Eads 2021-04-28 18:29:09 UTC 
user/system:serviceaccount:openshift-machine-api:cluster-baremetal-operator accessed validatingwebhookconfigurations.v1beta1.admissionregistration.k8s.io 1 times

This blocks upgrade to 4.9, because when the kube-apiserver upgrades to 4.9, the endpoint used by the operator in 4.8 (kube-apiserver upgrades first) will stop functioning.  Many clusters get stuck in this state and running skewed fails.
Comment 2 Xingxing Xia 2021-05-10 07:49:06 UTC 
Verified in 4.8.0-0.nightly-2021-05-10-002052 :
$ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'`
$ for i in $MASTERS; do echo "$i"; oc debug no/$i -- chroot /host bash -c "grep -hE '"'"k8s.io/removed-release":"[^"]+"'"' /var/log/kube-apiserver/audit*.log" >> all.log ; done                                      
$ grep '"k8s.io/removed-release":"1.22"' all.log > 1.22.log                                      
$ jq -r '.user.username+": "+.requestURI' 1.22.log | sed 's/\?.*$//' | sort | uniq -c | sort -n
     92 system:serviceaccount:openshift-machine-config-operator:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions
     96 system:serviceaccount:openshift-machine-api:cluster-autoscaler-operator: /apis/admissionregistration.k8s.io/v1beta1/validatingwebhookconfigurations
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/clusteroperators.config.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/clusterversions.config.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/containerruntimeconfigs.machineconfiguration.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/credentialsrequests.cloudcredential.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/kubeletconfigs.machineconfiguration.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/machineconfigpools.machineconfiguration.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/machineconfigs.machineconfiguration.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindings/default-account-openshift-machine-config-operator
    105 system:serviceaccount:openshift-cluster-version:default: /apis/rbac.authorization.k8s.io/v1beta1/namespaces/openshift-machine-api/rolebindings/cluster-autoscaler-operator
    105 system:serviceaccount:openshift-cluster-version:default: /apis/rbac.authorization.k8s.io/v1beta1/namespaces/openshift-machine-api/roles/cluster-autoscaler-operator
    173 system:kube-controller-manager: /apis/extensions/v1beta1/ingresses
    339 system:serviceaccount:openshift-machine-config-operator:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/controllerconfigs.machineconfiguration.openshift.io

Did not find access to deprecated APIs related to baremetal operator
Comment 5 errata-xmlrpc 2021-07-27 23:04:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438