Description of problem: https://github.com/openshift/openshift-ansible/issues/11004 https://github.com/openshift/openshift-ansible/pull/11015 The openshift_control_plane "Check for file paths outside of /etc/origin/master in master's config" fails on auditConfig policyConfiguration that includes nonResourceURLs specifications by interpreting these as file paths. Request to include the above fix #11015 Version-Release number of the following components: rpm -q openshift-ansible rpm -q ansible ansible --version How reproducible: 1.Start with a master with /etc/origin/master/master-config.yaml containing: auditConfig: auditFilePath: /var/log/origin/audit.log enabled: true logFormat: json policyConfiguration: apiVersion: audit.k8s.io/v1beta1 omitStages: - RequestReceived rules: - level: Metadata nonResourceURLs: - /login* - /oauth* 2.Run openshift-ansible deploy Actual results: Please include the entire output from the last TASK line through the end of output if an error is generated Expected results: Additional info: Please attach logs from ansible-playbook with the -vvv flag
Fix is available in openshift-ansible-3.11.73-1
Could reproduce this bug with openshift-ansible-3.11.59-1 When master has such auditConfig field configured in master-config.yaml auditConfig: auditFilePath: /var/log/origin/audit.log enabled: true logFormat: json policyConfiguration: apiVersion: audit.k8s.io/v1beta1 omitStages: - RequestReceived rules: - level: Metadata nonResourceURLs: - /login* - /oauth* Run openshift-ansible/playbooks/byo/openshift_facts.yml playbook, it would fail as below. TASK [openshift_control_plane : Check for file paths outside of /etc/origin/master in master's config] ********************************************************************** fatal: [ec2-3-81-139-156.compute-1.amazonaws.com]: FAILED! => {"msg": "A string value that appears to be a file path located outside of\n/dev/null, /etc/origin/master/, /var/lib/origin, /etc/origin/cloudprovider, /etc/origin/kubelet-plugins, /usr/libexec/kubernetes/kubelet-plugins, /var/log/origin has been found in /etc/origin/master/master-config.yaml.\nIn 3.10 and newer, all files needed by the master must reside inside of\nthose directories or a subdirectory or it will not be readable by the\nmaster process. Please migrate all files needed by the master into\none of /dev/null, /etc/origin/master/, /var/lib/origin, /etc/origin/cloudprovider, /etc/origin/kubelet-plugins, /usr/libexec/kubernetes/kubelet-plugins, /var/log/origin or a subdirectory and update your master configs before\nproceeding. The string found was: /login*\n***********************\nNOTE: the following items do not need to be migrated, they will be migrated\nfor you: oauthConfig.identityProviders"} Tried again with openshift-ansible-3.11.75-1.git.0.95e8e2a.el7.noarch, this step could pass. TASK [openshift_control_plane : Check for file paths outside of /etc/origin/master in master's config] ********************************************************************** ok: [ec2-3-81-139-156.compute-1.amazonaws.com] => {"changed": false, "msg": "Aight, configs looking good"}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0326