Bug 2026089
| Summary: | Different file permission for secrets/user-serving-cert-000/tls.crt and secrets/user-serving-cert-000/tls.key | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | OpenShift BugZilla Robot <openshift-bugzilla-robot> |
| Component: | kube-apiserver | Assignee: | Abu Kashem <akashem> |
| Status: | CLOSED ERRATA | QA Contact: | Rahul Gangwar <rgangwar> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.7 | CC: | amulmule, clasohm, dtambat, kvatteka, mfojtik, mirollin, mrobson, nkaushik, pawankum, rgangwar, sbiradar, shaising, shchan, simore, sttts, surbania, suyama, vlaad, wking, xxia |
| Target Milestone: | --- | ||
| Target Release: | 4.8.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-12 16:54:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1977730 | ||
| Bug Blocks: | 2013838 | ||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.8.26 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:0021 oc adm release info --commits registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2022-02-28-225103|grep -i kube-apiserver-operator cluster-kube-apiserver-operator https://github.com/openshift/cluster-kube-apiserver-operator 25c54939bdd02bc8e68f1329fa3ebe16904b3282 git log --date local --pretty="%h %an %cd - %s" 25c54939 |grep -i 1320 25c54939b OpenShift Merge Robot Mon Feb 28 15:29:23 2022 - Merge pull request #1320 from EmilyM1/bump-for-4.8-libgo Before changes oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2022-02-28-225103 True False 163m Cluster version is 4.8.0-0.nightly-2022-02-28-225103 rahulgangwar@rgangwar-mac cluster-kube-apiserver-operator % for i in `oc get node|grep master|awk '{print $1}'`;do oc debug node/$i -T -- chroot /host bash -c "ls -ltrh /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/*/tls.crt"; done Starting pod/ip-10-0-60-208us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` -rw-------. 1 root root 1.2K Mar 1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt -rw-------. 1 root root 1.2K Mar 1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt -rw-------. 1 root root 1.2K Mar 1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt -rw-------. 1 root root 2.4K Mar 1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 2.7K Mar 1 11:36 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt Removing debug pod ... Starting pod/ip-10-0-60-72us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` -rw-------. 1 root root 1.2K Mar 1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt -rw-------. 1 root root 2.5K Mar 1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 1.2K Mar 1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt -rw-------. 1 root root 1.2K Mar 1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt -rw-------. 1 root root 2.4K Mar 1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 2.7K Mar 1 11:43 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt Removing debug pod ... Starting pod/ip-10-0-73-175us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` -rw-------. 1 root root 1.2K Mar 1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt -rw-------. 1 root root 1.2K Mar 1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt -rw-------. 1 root root 2.7K Mar 1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt -rw-------. 1 root root 2.4K Mar 1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 1.2K Mar 1 11:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt After changes openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem -subj "/CN=test.com" Generating a 2048 bit RSA private key ...........................................................+++ ...................................................................+++ writing new private key to 'key.pem' ----- oc create secret tls api-secret --cert=certificate.pem --key=key.pem -n openshift-config secret/api-secret created oc patch --type=merge apiserver/cluster -p " spec: servingCerts: namedCertificates: - names: - test.com servingCertificate: name: api-secret oc get apiserver cluster -o yaml servingCerts: namedCertificates: - names: - test.com servingCertificate: name: api-secret for i in `oc get node|grep master|awk '{print $1}'`;do oc debug node/$i -T -- chroot /host bash -c "ls -ltrh /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/*/tls.crt"; done Starting pod/ip-10-0-60-208us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` -rw-------. 1 root root 1.2K Mar 1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt -rw-------. 1 root root 1.2K Mar 1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt -rw-------. 1 root root 2.7K Mar 1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt -rw-------. 1 root root 2.4K Mar 1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 1.2K Mar 1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt -rw-------. 1 root root 973 Mar 1 17:34 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt Removing debug pod ... Starting pod/ip-10-0-60-72us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` -rw-------. 1 root root 1.2K Mar 1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt -rw-------. 1 root root 2.4K Mar 1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 1.2K Mar 1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt -rw-------. 1 root root 1.2K Mar 1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt -rw-------. 1 root root 973 Mar 1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt -rw-------. 1 root root 2.7K Mar 1 17:40 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt Removing debug pod ... Starting pod/ip-10-0-73-175us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` -rw-------. 1 root root 1.2K Mar 1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt -rw-------. 1 root root 1.2K Mar 1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt -rw-------. 1 root root 2.4K Mar 1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 2.5K Mar 1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 1.2K Mar 1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt -rw-------. 1 root root 973 Mar 1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt -rw-------. 1 root root 2.7K Mar 1 17:28 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt Shanna, Checking with dev will update you soon. Hello Team, Can we please get any update on this? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.8.56 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:0018 |
oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-12-21-212247 True False 9m49s Cluster version is 4.8.0-0.nightly-2021-12-21-212247 openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem -subj "/CN=<API_FQDN>" Generating a 2048 bit RSA private key ................................................................................................................................................+++ .......+++ writing new private key to 'key.pem' ----- oc create secret tls api-secret --cert=certificate.pem --key=key.pem -n openshift-config secret/api-secret created oc get apiserver/cluster -o yaml servingCertificate: name: api-secret for i in `oc get node|grep master|awk '{print $1}'`;do oc debug node/$i -T -- chroot /host bash -c "ls -ltrh /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/*/tls.crt"; done Starting pod/ip-10-0-153-141us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` -rw-------. 1 root root 1.2K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt -rw-------. 1 root root 2.5K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 1.2K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt -rw-------. 1 root root 1.2K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt -rw-------. 1 root root 2.4K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt -rw-------. 1 root root 2.5K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 1.1K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt -rw-------. 1 root root 2.7K Dec 22 16:03 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt Removing debug pod ... Starting pod/ip-10-0-170-127us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` -rw-------. 1 root root 2.5K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 2.5K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 1.2K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt -rw-------. 1 root root 1.2K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt -rw-------. 1 root root 1.2K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt -rw-------. 1 root root 1.1K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt -rw-------. 1 root root 2.7K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt -rw-------. 1 root root 2.4K Dec 22 16:16 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt Removing debug pod ... Starting pod/ip-10-0-212-167us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` -rw-------. 1 root root 1.2K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt -rw-------. 1 root root 2.4K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey/tls.crt -rw-------. 1 root root 2.5K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 2.5K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/tls.crt -rw-------. 1 root root 1.2K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key/tls.crt -rw-------. 1 root root 1.2K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key/tls.crt -rw-------. 1 root root 1.1K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/user-serving-cert-000/tls.crt -rw-------. 1 root root 2.7K Dec 22 16:10 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.crt Removing debug pod ...