Bug 1965947

Summary: CCO: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert
Product: OpenShift Container Platform Reporter: Ke Wang <kewang>
Component: Cloud Credential OperatorAssignee: Devan Goodwin <dgoodwin>
Status: CLOSED DUPLICATE QA Contact: wang lin <lwan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.8CC: aos-bugs, mfojtik
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-31 10:58:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Ke Wang 2021-05-31 08:21:53 UTC 
Refer to the bug 1947801#c4 steps, still found the following api request from /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/credentialsrequests.cloudcredential.openshift.io,
$ cat dep.json | jq -r '.user.username+": "+.requestURI' | sort | uniq | grep customresourcedefinitions
system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/credentialsrequests.cloudcredential.openshift.io
Comment 2 Jian Zhang 2021-05-31 09:47:02 UTC 
Hi Ke,

Based on comment 1, I think it's the version of the `apiextensions.k8s.io` is using "v1beta1" that not allowed. Since the APIService is aggregated API that managed by the APIServer, I transfer this bug to the Master team.

mac:~ jianzhang$ oc get apiservice | grep -i apiextensions
v1.apiextensions.k8s.io                       Local                                                        True        6h46m
v1beta1.apiextensions.k8s.io                  Local                                                        True        6h46m

mac:~ jianzhang$ oc get apiservice v1beta1.apiextensions.k8s.io  -o yaml 
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  creationTimestamp: "2021-05-31T02:54:37Z"
  labels:
    kube-aggregator.kubernetes.io/automanaged: onstart
  name: v1beta1.apiextensions.k8s.io
  resourceVersion: "6"
  uid: 5a77c1f3-dfb7-4be5-9205-3bd44a1d7ee3
spec:
  group: apiextensions.k8s.io
  groupPriorityMinimum: 16700
  version: v1beta1
  versionPriority: 9
status:
  conditions:
  - lastTransitionTime: "2021-05-31T02:54:37Z"
    message: Local APIServices are always available
    reason: Local
    status: "True"
    type: Available
Comment 3 Ke Wang 2021-05-31 10:58:26 UTC 
Agree with Jian Zhang's checking, will close this bug, still using the original bug 1952049 to track this. Close the bug with duplication.

*** This bug has been marked as a duplicate of bug 1952049 ***
Comment 4 Xingxing Xia 2021-06-02 07:09:03 UTC 
Jian Zhang, Ke Wang : this is NOT an issue of apiserver, also NOT an issue of original Helm bug, rather, it is issue of credentialsrequests that is defined as v1beta1 CRD.

*** This bug has been marked as a duplicate of bug 1957446 ***