Bug 1958492

Summary: CCO: pod-identity-webhook still accesses APIRemovedInNextReleaseInUse
Product: OpenShift Container Platform Reporter: wang lin <lwan>
Component: Cloud Credential OperatorAssignee: Joel Diaz <jdiaz>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: high Docs Contact:
Priority: high    
Version: 4.8CC: arane, deads, jdiaz, lwan, sttts, xxia
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1954765 Environment:
Last Closed: 2021-07-27 23:07:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1954765    
Bug Blocks: 1947719    

Description wang lin 2021-05-08 08:15:47 UTC 
Description of problem:
user/system:serviceaccount:openshift-cloud-credential-operator:pod-identity-webhook accessed certificatesigningrequests.v1beta1.certificates.k8s.io 23 times which will be deprecated in the next release

found in https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/26104/pull-ci-openshift-origin-master-e2e-aws-disruptive/1390344110019186688

Actual results:
still accesses DeprecatedAPIInNextReleaseInUse

Expected results:
won't access DeprecatedAPIInNextReleaseInUse
Comment 2 wang lin 2021-05-10 06:14:12 UTC 
Verified on 4.8.0-0.nightly-2021-05-09-105430, pod-identity-webhook no longer accesses certificatesigningrequests.v1beta1.certificates.k8s.io. Here is the verification steps:

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-05-09-105430   True        False         173m    Cluster version is 4.8.0-0.nightly-2021-05-09-105430

$ masters=$(oc get no -l node-role.kubernetes.io/master | sed '1d' | awk '{print $1}')

$ oc adm node-logs $masters --path=kube-apiserver/audit.log --raw | grep -e '"k8s.io/removed-release":"1.22"' | tee dep.json

$ cat dep.json | jq -r '.user.username+": "+.requestURI' | sort | uniq | grep pod-identity
Nothing can be found.
Comment 5 errata-xmlrpc 2021-07-27 23:07:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438