Bug 1972687

Summary: Using bound SA tokens causes causes failures to /apis/authorization.openshift.io/v1/clusterrolebindings
Product: OpenShift Container Platform Reporter: Sergiusz Urbaniak <surbania>
Component: apiserver-authAssignee: Sergiusz Urbaniak <surbania>
Status: CLOSED ERRATA QA Contact: liyao
Severity: high Docs Contact:
Priority: high    
Version: 4.8CC: aos-bugs, cblecker, dgoodwin, jmatthew, liyao, mfojtik, obulatov, odepaz, rfreiman, sasha, shurley, slaznick, sregidor, surbania, wking
Target Milestone: ---Keywords: ServiceDeliveryBlocker
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1972383 Environment:
Last Closed: 2021-07-27 23:13:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1972383    
Bug Blocks:    

Comment 2 liyao 2021-06-18 10:26:18 UTC 
Tested in fresh cluster 4.8.0-0.nightly-2021-06-18-055840

There are 2 ways to verify

Method 1
1. copy oc to ANY_POD
$ oc cp /usr/bin/oc ANY_POD:/tmp/oc
2. enter ANY_POD
$ oc rsh ANY_POD
3. get the resources in authorization.openshift.io group by oc CLI and check the result
when using old build, error is returned from the server.
sh-4.4$ /tmp/oc get rolebinding.v1.authorization.openshift.io
Error from server: Get "https://172.30.0.1:443/apis/rbac.authorization.k8s.io/v1/namespaces/xxia-proj/rolebindings?limit=500": net/http: invalid header field name "Impersonate-Extra-authentication.kubernetes.io/pod-uid"
sh-4.4$ /tmp/oc get role.v1.authorization.openshift.io
Error from server: Get "https://172.30.0.1:443/apis/rbac.authorization.k8s.io/v1/namespaces/xxia-proj/roles?limit=500": net/http: invalid header field name "Impersonate-Extra-authentication.kubernetes.io/pod-name" (edited) 

when using new build including the fix, expected result is returned.
sh-4.4# /tmp/oc get rolebinding.v1.authorization.openshift.io
NAME                    ROLE                                       USERS   GROUPS                                             SERVICE ACCOUNTS                      USERS
prometheus-k8s          openshift-oauth-apiserver/prometheus-k8s                                                              openshift-monitoring/prometheus-k8s   
...                                  
sh-4.4# /tmp/oc get role.v1.authorization.openshift.io
NAME
prometheus-k8s


Method 2
1) enter a different pod rather than KAS
$ oc get pods -n openshift-oauth-apiserver
$ oc rsh -n openshift-oauth-apiserver apiserver-64c8f57f9c-2djtw
2) curl the endpoint of the kube-apiserver from inside of the pod and check and result
$ token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
$ curl -k "https://${KUBERNETES_SERVICE_HOST}/apis/authorization.openshift.io/v1/clusterroles/view" -H "Authorization: Bearer ${token}"

when using old build, error is returned from the server.
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {  },
  "status": "Failure",
  "message": "Get \"https://172.30.0.1:443/apis/rbac.authorization.k8s.io/v1/clusterroles/view\": net/http: invalid header field name \"Impersonate-Extra-authentication.kubernetes.io/pod-name\"",
  "code": 500
}

when using new build including the fix, expected result is returned.
{
  "kind": "ClusterRole",
  "apiVersion": "authorization.openshift.io/v1",
  "metadata": {
    "name": "view",
    ...
}
Comment 3 Osher De Paz 2021-06-21 12:13:56 UTC 
*** Bug 1973258 has been marked as a duplicate of this bug. ***
Comment 6 errata-xmlrpc 2021-07-27 23:13:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438