Bug 1991900

Summary: Still see tokenreview requests from some targets for the prometheus SA
Product: OpenShift Container Platform Reporter: Rahul Gangwar <rgangwar>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED DUPLICATE QA Contact: Rahul Gangwar <rgangwar>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.9CC: aos-bugs, mfojtik, surbania
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-11 09:36:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rahul Gangwar 2021-08-10 11:22:10 UTC 
Description of problem:
Now with https://bugzilla.redhat.com/show_bug.cgi?id=1986829 verified, still see tokenreview requests from some targets for the prometheus SA. 


Version-Release number of selected component (if applicable):
Latest 4.9 nightly payload


How reproducible:
Always

Steps to Reproduce:
1. Check metric client certificate
 oc get secret -n openshift-monitoring


2.Configure audit profile from default  to WriteRequestBodies in apiserver/cluster and wait to restart kube-apiserver
oc edit apiserver/cluster

spec:
  audit:
    profile: WriteRequestBodies
                                 

Check kube-apiserver restart or not
oc get pod -n openshift-kube-apiserver -l apiserver --show-labels

3. Check and gather audit logs after kube-api server restart and wait for 15mins. Login to all master and gather audit logs.


oc debug node/ci-ln-6t078vk-f76d1-mv5bv-master-2 -T -- chroot /host grep '"requestURI":"/apis/authentication.k8s.io/v1/tokenreviews"' /var/log/kube-apiserver/audit.log > /tmp/all_tokenreviews_requests.log

grep '"status":{"authenticated":true,"user":{"username":"system:serviceaccount:openshift-monitoring:prometheus-k8s"' /tmp/all_tokenreviews_requests.log > /tmp/all_tokenreviews_for_serviceaccount_prometheus-k8s.log

jq '.user.username' /tmp/all_tokenreviews_for_serviceaccount_prometheus-k8s.log > /tmp/all_users_that_make_traffic_to_check_token_of_serviceaccount_prometheus-k8s.log

sort /tmp/all_users_that_make_traffic_to_check_token_of_serviceaccount_prometheus-k8s.log | uniq -c | sort -rh>/tmp/users.txt


Check there is no token validation requests send to  kube-apiserver from below users and there will no output/display.

for i in kube-apiserver openshift-apiserver openshift-controller-manager kube-scheduler kubelet node-exporter kube-controller-manager etcd; do grep "$i" /tmp/users.txt;done;

Actual results:
1 "system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa"
4 "system:kube-scheduler"

Expected results:
for this command output should be blank

for i in kube-apiserver openshift-apiserver openshift-controller-manager kube-scheduler kubelet node-exporter kube-controller-manager etcd; do grep "$i" /tmp/users.txt;done;
Comment 1 Sergiusz Urbaniak 2021-08-11 07:20:20 UTC 
This looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1990281. workload components (controller-manager, scheduler) need static authorization configured.

*** This bug has been marked as a duplicate of bug 1990281 ***
Comment 2 Rahul Gangwar 2021-08-11 07:53:44 UTC 
Reopen the bug it is not duplicate, to clarify it is about tokenreview, nor subjectaccessreview.
Comment 3 Sergiusz Urbaniak 2021-08-11 09:36:16 UTC 
Let's keep the number of bugzillas at a minimum. tokenreview and subjectaccessreview must both be omitted in order to implement client cert based metrics scraping.

*** This bug has been marked as a duplicate of bug 1990281 ***
Comment 4 Sergiusz Urbaniak 2021-08-11 09:36:54 UTC 
(adding a comment in the other BZ)