Bug 2060058
Summary: | superfluous apirequestcount entries in audit log | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | OpenShift BugZilla Robot <openshift-bugzilla-robot> |
Component: | kube-apiserver | Assignee: | Luis Sanchez <sanchezl> |
Status: | CLOSED ERRATA | QA Contact: | jmekkatt |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.10 | CC: | jmekkatt, mfojtik, rgangwar, sanchezl, xxia |
Target Milestone: | --- | ||
Target Release: | 4.10.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-08-01 11:34:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2049687 | ||
Bug Blocks: |
Comment 4
Rahul Gangwar
2022-03-10 06:16:42 UTC
Inline tests are performed in fixed build with different kube-apiserver cluster profiles. Step 1 : Get the cluster version $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2022-07-25-110002 True False 22m Cluster version is 4.10.0-0.nightly-2022-07-25-110002 Step 2 : Check the apirequestcount definition in policy.yaml file. $ kas_pod=$(oc get pods -n openshift-kube-apiserver | grep 'apiserver' | grep -v 'guard'| awk 'NR==1{print $1}') $ oc exec -n openshift-kube-apiserver $kas_pod -- cat /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/policy.yaml | grep -A5 "group: apiserver" - group: apiserver.openshift.io resources: - apirequestcounts - apirequestcounts/* users: - system:apiserver Step 3 : Run inline script to check the "apirequestcount" presence in logs. $ cat check_and_filter_apirequestcount.sh PATTERN="apirequestcount" PATTERN_SECOND="system:apiserver" PATTERN_EXCLUDE="customresourcedefinitions" KAS_PODS=$(oc get pods -n openshift-kube-apiserver | grep 'apiserver' | grep -v 'guard'| awk '{print $1}') for i in $KAS_PODS; do oc exec -n openshift-kube-apiserver $i -- grep -iEr $PATTERN /var/log/kube-apiserver | grep $PATTERN_SECOND | grep -v $PATTERN_EXCLUDE || true done > kas_auditlog_api.log Step 4 : Checks with "default" cluster profile. $ oc get apiserver/cluster -ojson | jq .spec.audit { "profile": "Default" } $ sh check_and_filter_apirequestcount.sh $ cat kas_auditlog_api.log | wc -l 0 Step 5 : Repeat Step-3 checks with "WriteRequestBodies" profile. $ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "WriteRequestBodies"}}}' --type merge apiserver.config.openshift.io/cluster patched $ oc get apiserver/cluster -ojson | jq .spec.audit { "profile": "WriteRequestBodies" } $ sh check_and_filter_apirequestcount.sh $ cat kas_auditlog_api.log | wc -l 0 Step 6 : Repeat Step-3 checks with "AllRequestBodies" profile. $ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "AllRequestBodies"}}}' --type merge apiserver.config.openshift.io/cluster patched $ oc get apiserver/cluster -ojson | jq .spec.audit { "profile": "AllRequestBodies" } $ sh check_and_filter_apirequestcount.sh $ cat kas_auditlog_api.log | wc -l 0 Step 7 : Repeat Step-3 checks with "None" profile. $ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "None"}}}' --type merge apiserver.config.openshift.io/cluster patched $ oc get apiserver/cluster -ojson | jq .spec.audit { "profile": "None" } $ sh check_and_filter_apirequestcount.sh $ cat kas_auditlog_api.log | wc -l 0 From above step results, In any of the kube-apiserver supported profiles, the request entries w.r.t apirequestcounts requests made by system:apiserver not part of audit logs. Hence moved bug to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.25 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5730 |