Bug 2149627

Summary: Deprecated gpu-operator API call
Product: Container Native Virtualization (CNV) Reporter: Yossi Segev <ysegev>
Component: VirtualizationAssignee: Vladik Romanovsky <vromanso>
Status: CLOSED ERRATA QA Contact: Kedar Bidarkar <kbidarka>
Severity: high Docs Contact:
Priority: high    
Version: 4.11.1CC: fdeutsch, fdupont, jpeimer, kbidarka
Target Milestone: ---   
Target Release: 4.13.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-20 13:41:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yossi Segev 2022-11-30 12:45:30 UTC 
Description of problem:
Deprecated gpu-operator API call


Version-Release number of selected component (if applicable):
CNV 4.11.1-92


Steps to Reproduce:
1. Run cnv-test's test_deprecated_apis_in_audit_logs


Actual results:
tests.deprecated_api.test_deprecation_audit_logs.DeprecatedAPIError: Component: gpu-operator/v0.0.0 (linux/amd64) kubernetes/$Format


Calls:
    {'kind': 'Event', 'apiVersion': 'audit.k8s.io/v1', 'level': 'Metadata', 'auditID': '580fb685-ea0c-4ea1-b62f-ddea1cd208ca', 'stage': 'ResponseComplete', 'requestURI': '/apis/policy/v1beta1/podsecuritypolicies/gpu-operator-privileged', 'verb': 'delete', 'user': {'username': 'system:serviceaccount:nvidia-gpu-operator:gpu-operator', 'uid': '6a3bd614-77d3-4110-b843-f44d4b0d2fe3', 'groups': ['system:serviceaccounts', 'system:serviceaccounts:nvidia-gpu-operator', 'system:authenticated'], 'extra': {'authentication.kubernetes.io/pod-name': ['gpu-operator-7d46cdf9d7-27zmt'], 'authentication.kubernetes.io/pod-uid': ['96991cb8-450d-42e4-be68-3ab057d2c471']}}, 'sourceIPs': ['10.9.96.81'], 'userAgent': 'gpu-operator/v0.0.0 (linux/amd64) kubernetes/$Format', 'objectRef': {'resource': 'podsecuritypolicies', 'name': 'gpu-operator-privileged', 'apiGroup': 'policy', 'apiVersion': 'v1beta1'}, 'responseStatus': {'metadata': {}, 'status': 'Failure', 'message': 'podsecuritypolicies.policy "gpu-operator-privileged" not found', 'reason': 'NotFound', 'details': {'name': 'gpu-operator-privileged', 'group': 'policy', 'kind': 'podsecuritypolicies'}, 'code': 404}, 'requestReceivedTimestamp': '2022-11-29T15:42:57.570973Z', 'stageTimestamp': '2022-11-29T15:42:57.572602Z', 'annotations': {'authorization.k8s.io/decision': 'allow', 'authorization.k8s.io/reason': 'RBAC: allowed by ClusterRoleBinding "gpu-operator-certified.v22.9.0-776d5fcf49" of ClusterRole "gpu-operator-certified.v22.9.0-776d5fcf49" to ServiceAccount "gpu-operator/nvidia-gpu-operator"', 'k8s.io/deprecated': 'true', 'k8s.io/removed-release': '1.25'}}
Comment 1 Petr Horáček 2022-12-08 10:06:47 UTC 
Moving to virt since it is connected to GPU operator.
Comment 2 sgott 2022-12-14 13:31:49 UTC 
Vladik, could you take a look?
Comment 4 Fabian Deutsch 2023-01-11 13:41:08 UTC 
I think this is a GPU Operator bug.
It seems that the NV GPU Operator is using PodSecurityPolicies (PSP) which are now deprecated.

@fdupont thoughts?
Comment 5 Jenia Peimer 2023-02-22 12:18:40 UTC 
New comment on GitHub: https://github.com/NVIDIA/gpu-operator/issues/451#issuecomment-1439914223
```
shivamerla commented 8 minutes ago
@jpeimer Yes, PSP resource creation is retained in the code for orchestrators like VMware Tanzu, but not used for OCP. The audit log seems to be generated because we are trying to delete this resource for OCP as well. Will fix this as part of 23.03 release in March.
```
Comment 6 Jenia Peimer 2023-04-05 10:32:28 UTC 
New comment on GitHub: https://github.com/NVIDIA/gpu-operator/issues/451#issuecomment-1496993975
```
shivamerla commented 3 hours ago • 
@jpeimer this has been fixed with v23.3.0, please try out and re-open if you still see this issue.
https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/release-notes.html
```
Comment 8 Kedar Bidarkar 2023-05-29 13:59:50 UTC 
No deprecated_apis_in_audit_logs seen in 4.13

Verified with v23.3.1
Comment 14 errata-xmlrpc 2023-06-20 13:41:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Virtualization 4.13.1 Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:3686
Comment 15 Red Hat Bugzilla 2023-10-19 04:25:07 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days