Bug 2060058
| Summary: | superfluous apirequestcount entries in audit log | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | OpenShift BugZilla Robot <openshift-bugzilla-robot> |
| Component: | kube-apiserver | Assignee: | Luis Sanchez <sanchezl> |
| Status: | CLOSED ERRATA | QA Contact: | jmekkatt |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.10 | CC: | jmekkatt, mfojtik, rgangwar, sanchezl, xxia |
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-01 11:34:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2049687 | ||
| Bug Blocks: | |||
Inline tests are performed in fixed build with different kube-apiserver cluster profiles.
Step 1 : Get the cluster version
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.10.0-0.nightly-2022-07-25-110002 True False 22m Cluster version is 4.10.0-0.nightly-2022-07-25-110002
Step 2 : Check the apirequestcount definition in policy.yaml file.
$ kas_pod=$(oc get pods -n openshift-kube-apiserver | grep 'apiserver' | grep -v 'guard'| awk 'NR==1{print $1}')
$ oc exec -n openshift-kube-apiserver $kas_pod -- cat /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/policy.yaml | grep -A5 "group: apiserver"
- group: apiserver.openshift.io
resources:
- apirequestcounts
- apirequestcounts/*
users:
- system:apiserver
Step 3 : Run inline script to check the "apirequestcount" presence in logs.
$ cat check_and_filter_apirequestcount.sh
PATTERN="apirequestcount"
PATTERN_SECOND="system:apiserver"
PATTERN_EXCLUDE="customresourcedefinitions"
KAS_PODS=$(oc get pods -n openshift-kube-apiserver | grep 'apiserver' | grep -v 'guard'| awk '{print $1}')
for i in $KAS_PODS; do
oc exec -n openshift-kube-apiserver $i -- grep -iEr $PATTERN /var/log/kube-apiserver | grep $PATTERN_SECOND | grep -v $PATTERN_EXCLUDE || true
done > kas_auditlog_api.log
Step 4 : Checks with "default" cluster profile.
$ oc get apiserver/cluster -ojson | jq .spec.audit
{
"profile": "Default"
}
$ sh check_and_filter_apirequestcount.sh
$ cat kas_auditlog_api.log | wc -l
0
Step 5 : Repeat Step-3 checks with "WriteRequestBodies" profile.
$ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "WriteRequestBodies"}}}' --type merge
apiserver.config.openshift.io/cluster patched
$ oc get apiserver/cluster -ojson | jq .spec.audit
{
"profile": "WriteRequestBodies"
}
$ sh check_and_filter_apirequestcount.sh
$ cat kas_auditlog_api.log | wc -l
0
Step 6 : Repeat Step-3 checks with "AllRequestBodies" profile.
$ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "AllRequestBodies"}}}' --type merge
apiserver.config.openshift.io/cluster patched
$ oc get apiserver/cluster -ojson | jq .spec.audit
{
"profile": "AllRequestBodies"
}
$ sh check_and_filter_apirequestcount.sh
$ cat kas_auditlog_api.log | wc -l
0
Step 7 : Repeat Step-3 checks with "None" profile.
$ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "None"}}}' --type merge
apiserver.config.openshift.io/cluster patched
$ oc get apiserver/cluster -ojson | jq .spec.audit
{
"profile": "None"
}
$ sh check_and_filter_apirequestcount.sh
$ cat kas_auditlog_api.log | wc -l
0
From above step results, In any of the kube-apiserver supported profiles, the request entries w.r.t apirequestcounts requests made by system:apiserver not part of audit logs. Hence moved bug to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.25 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5730 |
@luis PR is not yet merged into openshift:release-4.10 branch yet. Please merge the changes. oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2022-03-09-224546 True False 18m Cluster version is 4.10.0-0.nightly-2022-03-09-224546 kas_pod=$(oc get pods -n openshift-kube-apiserver | grep 'apiserver' | grep -v 'guard'| awk 'NR==1{print $1}') rahulgangwar@rgangwar-mac verification-tests % oc exec -n openshift-kube-apiserver $kas_pod -- cat /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/policy.yaml | grep -A5 "group: apiserver" Defaulting container name to kube-apiserver. Use 'oc describe pod/kube-apiserver-rgangwar-10de1-gzmw8-master-0.c.openshift-qe.internal -n openshift-kube-apiserver' to see all of the containers in this pod. Not able to find the apirequestcount definition in policy.yaml file in 4.10 as below in 4.11. oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2022-02-27-122819 True False 5h38m Cluster version is 4.11.0-0.nightly-2022-02-27-122819 $ kas_pod=$(oc get pods -n openshift-kube-apiserver | grep 'apiserver' | grep -v 'guard'| awk 'NR==1{print $1}') $ oc exec -n openshift-kube-apiserver $kas_pod -- cat /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/policy.yaml | grep -A5 "group: apiserver" - group: apiserver.openshift.io resources: - apirequestcounts - apirequestcounts/* users: - system:apiserver