Bug 1974773

Summary: Using bound SA tokens causes fail to query cluster resource especially in a sts cluster
Product: OpenShift Container Platform Reporter: Sergiusz Urbaniak <surbania>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: liyao
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.8CC: aos-bugs, cshereme, liyao, lwan, mfojtik, mifiedle, slaznick, surbania, vlaad, wking, wsun, wzheng, xtian
Target Milestone: ---Keywords: ServiceDeliveryBlocker, TestBlocker
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: EmergencyRequest
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1974716 Environment:
Last Closed: 2021-07-27 23:13:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1974716    
Bug Blocks:    

Comment 1 Standa Laznicka 2021-06-22 14:45:02 UTC 
*** Bug 1974788 has been marked as a duplicate of this bug. ***
Comment 3 wang lin 2021-06-24 05:24:20 UTC 
Verified on 4.8.0-0.nightly-2021-06-23-232238

1. provide my own Authentication CR into cluster manifests
$ oc get Authentication cluster -o json | jq -r ".spec"
{
  "oauthMetadata": {
    "name": ""
  },
  "serviceAccountIssuer": "https://a-lwansts-480-021932120336748-oidc.s3.us-east-2.amazonaws.com",
  "type": "",
  "webhookTokenAuthenticator": {
    "kubeConfig": {
      "name": "webhook-authentication-integrated-oauth"
    }
  }
}
2. launch an install
3. there is no longer Unauthorized keywords
Comment 6 errata-xmlrpc 2021-07-27 23:13:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438