Bug 2008223
| Summary: | gather_audit_logs: fix oc command line to get the current audit profile | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Ke Wang <kewang> |
| Component: | oc | Assignee: | Maciej Szulik <maszulik> |
| oc sub component: | oc | QA Contact: | zhou ying <yinzhou> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | high | CC: | aos-bugs, mfojtik, sttts |
| Version: | 4.9 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-11 18:15:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2014995 | ||
| Bug Blocks: | |||
can't reproduce the issue now: [root@localhost ~]# oc version --client Client Version: 4.10.0-0.nightly-2021-10-19-210507 [root@localhost oc adm must-gather -- /usr/bin/gather_audit_logs ; echo $? [must-gather ] OUT Using must-gather plug-in image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2af566cedaab422336ade987354e0221419d76283b43dac0354607c37592baa8 When opening a support case, bugzilla, or issue please include the following summary data along with any other requested information. ClusterID: dd8b8dcc-9944-4a40-a9c3-a16ba54db839 ClusterVersion: Stable at "4.9.0" ClusterOperators: All healthy and stable [must-gather ] OUT namespace/openshift-must-gather-g7xwm created [must-gather ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-h6s8b created [must-gather ] OUT pod for plug-in image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2af566cedaab422336ade987354e0221419d76283b43dac0354607c37592baa8 created [must-gather-zrmwr] POD 2021-10-20T02:14:10.295728843Z WARNING: Collecting one or more audit logs on ALL masters in your cluster. This could take a large amount of time. [must-gather-zrmwr] POD 2021-10-20T02:14:10.433260440Z INFO: Started downloading openshift-apiserver/audit.log from ip-10-0-145-240.us-east-2.compute.internal ...... When opening a support case, bugzilla, or issue please include the following summary data along with any other requested information. ClusterID: dd8b8dcc-9944-4a40-a9c3-a16ba54db839 ClusterVersion: Stable at "4.9.0" ClusterOperators: All healthy and stable 0 $ oc version
Client Version: 4.10.0-0.nightly-2021-10-16-173656
Server Version: 4.10.0-0.nightly-2021-10-20-193037
Kubernetes Version: v1.22.1+d767194
$ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "None"}}}' --type merge
After the kube-apiserver degradation is finished.
$ oc get pods -n openshift-kube-apiserver -l apiserver --show-labels
$ oc adm must-gather -- /usr/bin/gather_audit_logs;echo $?
$ oc adm must-gather -- /usr/bin/gather_audit_logs;echo $?
[must-gather ] OUT Using must-gather plug-in image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6bdc74183cf2e2632b0ee40ff6939ce97ee222576eab2308434784587273a637
When opening a support case, bugzilla, or issue please include the following summary data along with any other requested information.
ClusterID: 74d849f6-c326-41fc-b754-c9816955df23
ClusterVersion: Stable at "4.10.0-0.nightly-2021-10-20-193037"
ClusterOperators:
All healthy and stable
[must-gather ] OUT namespace/openshift-must-gather-p5clv created
[must-gather ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-z2l2x created
[must-gather ] OUT pod for plug-in image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6bdc74183cf2e2632b0ee40ff6939ce97ee222576eab2308434784587273a637 created
[must-gather-jz6fq] POD 2021-10-21T03:17:28.472216228Z ERROR: To raise a Red Hat support request, it is required to set the top level audit policy to
[must-gather-jz6fq] POD 2021-10-21T03:17:28.472216228Z Default, WriteRequestBodies, or AllRequestBodies to generate audit log events that can
[must-gather-jz6fq] POD 2021-10-21T03:17:28.472216228Z be analyzed by support. Try 'oc edit apiservers' and set 'spec.audit.profile' back to
[must-gather-jz6fq] POD 2021-10-21T03:17:28.472216228Z "Default" and reproduce the issue while gathering audit logs. You can use "--force" to
[must-gather-jz6fq] POD 2021-10-21T03:17:28.472216228Z override this error.
[must-gather-jz6fq] OUT waiting for gather to complete
[must-gather-jz6fq] OUT downloading gather output
[must-gather-jz6fq] OUT receiving incremental file list
[must-gather-jz6fq] OUT ./
[must-gather-jz6fq] OUT
[must-gather-jz6fq] OUT sent 27 bytes received 41 bytes 19.43 bytes/sec
[must-gather-jz6fq] OUT total size is 0 speedup is 0.00
[must-gather ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-z2l2x deleted
[must-gather ] OUT namespace/openshift-must-gather-p5clv deleted
When opening a support case, bugzilla, or issue please include the following summary data along with any other requested information.
ClusterID: 74d849f6-c326-41fc-b754-c9816955df23
ClusterVersion: Stable at "4.10.0-0.nightly-2021-10-20-193037"
ClusterOperators:
All healthy and stable
0
per the Doc
https://github.com/openshift/enhancements/blob/master/enhancements/kube-apiserver/audit-policy.md, the command will return with an error (non-zero exit code), so assign it back.
> $ oc adm must-gather -- /usr/bin/gather_audit_logs;echo $?
`;` is being interpreted by your local command line and not passed to container, check the actual result of the script by rsh-ing into it and verifying it manually.
Moving back to qa.
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.10.0-0.nightly-2021-10-25-190146 True False 13h Cluster version is 4.10.0-0.nightly-2021-10-25-190146
In terminal A, make the must-gather pod running,
$ oc adm must-gather -- tail -f /dev/null
In terminal B, run /usr/bin/gather_audit_logs and check the output and return code.
$ oc rsh -n openshift-must-gather-rktb7 must-gather-mlk9b
Defaulted container "gather" out of: gather, copy
sh-4.4# /usr/bin/gather_audit_logs
ERROR: To raise a Red Hat support request, it is required to set the top level audit policy to
Default, WriteRequestBodies, or AllRequestBodies to generate audit log events that can
be analyzed by support. Try 'oc edit apiservers' and set 'spec.audit.profile' back to
"Default" and reproduce the issue while gathering audit logs. You can use "--force" to
override this error.
sh-4.4# echo $?
1
From above, as expected, so move the bug VERIFIED.
|
Description of problem: gather_audit_logs: fix oc command line to get the current audit profile Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Actual results: Currently, oc command line to get the current audit profile with incorrect jsonpath parameters. oc get apiservers.v1.config.openshift.io -o jsonpath=.spec.audit.profile' None .spec.audit.profile Expected results: oc get apiservers.v1.config.openshift.io -o jsonpath='{.items[0].spec.audit.profile}' Default Additional info: