1862426 – gather the audit logs for oauth apiserver

Bug 1862426 - gather the audit logs for oauth apiserver

Summary: gather the audit logs for oauth apiserver

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	oc
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.6.0
Assignee:	Luis Sanchez
QA Contact:	RamaKasturi
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1867903 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-31 12:19 UTC by Lukasz Szaszkiewicz
Modified:	2020-10-27 16:22 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 16:21:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift must-gather pull 144	None	closed	Bug 1862426: gather the audit logs for oauth apiserver	2021-01-29 13:46:07 UTC
Github	openshift origin pull 25369	None	closed	Bug 1862426: gather the audit logs for oauth apiserver	2021-01-29 13:46:08 UTC
Red Hat Product Errata	RHBA-2020:4196	None	None	None	2020-10-27 16:22:11 UTC

Description Lukasz Szaszkiewicz 2020-07-31 12:19:08 UTC

I have already opened https://github.com/openshift/must-gather/pull/164 but it's not clear whether it's the desired direction.

Thus I decided to create this BZ as a reminder for us.

Comment 1 Eric Rich 2020-08-01 13:40:35 UTC

https://github.com/openshift/must-gather/pull/144/files tracks the direction we want to take.

Comment 2 Maciej Szulik 2020-08-11 14:26:43 UTC

*** Bug 1867903 has been marked as a duplicate of this bug. ***

Comment 6 RamaKasturi 2020-08-27 12:49:17 UTC

Tried verifying on openshift-client-linux-4.6.0-0.nightly-2020-08-27-005538, but did not find oauth apiserver logs, will check again on monday

[ramakasturinarra@dhcp35-60 ~]$ /home/ramakasturinarra/Downloads/openshift-client-linux-4.6.0-0.nightly-2020-08-27-005538/oc version -o yaml
clientVersion:
  buildDate: "2020-08-26T20:41:40Z"
  compiler: gc
  gitCommit: 931d20f944565ad2eadea9afecddbe657e164267
  gitTreeState: clean
  gitVersion: openshift-clients-4.6.0-202006250705.p0-90-g931d20f94
  goVersion: go1.14.4
  major: ""
  minor: ""
  platform: linux/amd64
openshiftVersion: 4.6.0-0.nightly-2020-08-27-005538
releaseClientVersion: 4.6.0-0.nightly-2020-08-27-005538
serverVersion:
  buildDate: "2020-08-26T13:26:15Z"
  compiler: gc
  gitCommit: f71a7ab366cffe1f76b48f2959de47bc71053c4f
  gitTreeState: dirty
  gitVersion: v1.19.0-rc.2+f71a7ab-dirty
  goVersion: go1.14.4
  major: "1"
  minor: 19+
  platform: linux/amd64

Comment 7 RamaKasturi 2020-08-31 13:40:58 UTC

could not verify this issue today as there is no Accepted build for 4.6 from last friday

Comment 8 Lukasz Szaszkiewicz 2020-09-01 11:09:56 UTC

@Rama for your information, I have noticed that a few new 4.6 images were accepted today.

Comment 9 Maciej Szulik 2020-09-02 09:19:44 UTC

I see the actual PR adding that capability is still in queue: https://github.com/openshift/must-gather/pull/144
moving back to POST.

Comment 11 RamaKasturi 2020-09-25 13:12:46 UTC

Verified bug with the payload below and i see the oauth-apiserver logs are being collected when run oc adm must-gather --/usr/bin/gather_audit_logs

[ramakasturinarra@dhcp35-60 openshift-client-linux-4.6.0-0.nightly-2020-09-25-014731]$ ./oc version -o yaml
clientVersion:
  buildDate: "2020-09-24T05:59:06Z"
  compiler: gc
  gitCommit: 61364f0509c577eebb26e4377c190623a38aba12
  gitTreeState: clean
  gitVersion: openshift-clients-4.6.0-202006250705.p0-150-g61364f050
  goVersion: go1.14.4
  major: ""
  minor: ""
  platform: linux/amd64
openshiftVersion: 4.6.0-0.nightly-2020-09-25-014731
releaseClientVersion: 4.6.0-0.nightly-2020-09-25-014731
serverVersion:
  buildDate: "2020-09-24T13:29:40Z"
  compiler: gc
  gitCommit: 359dd790a64aa35b626a6a081abddd7db9e2dd37
  gitTreeState: clean
  gitVersion: v1.19.0+359dd79
  goVersion: go1.15.0
  major: "1"
  minor: "19"
  platform: linux/amd64

[ramakasturinarra@dhcp35-60 quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-33485bb4fd1f7c442f3d95f7326d8a84ea0f450d10c4268f488b0a44fedd3a72]$ cd audit_logs/
[ramakasturinarra@dhcp35-60 audit_logs]$ ls -l
total 24
drwxr-xr-x. 2 ramakasturinarra ramakasturinarra 4096 Sep 25 18:13 kube-apiserver
-rw-r--r--. 1 ramakasturinarra ramakasturinarra 2353 Sep 25 18:10 kube-apiserver.audit_logs_listing
drwxr-xr-x. 2 ramakasturinarra ramakasturinarra 4096 Sep 25 18:15 oauth-apiserver
-rw-r--r--. 1 ramakasturinarra ramakasturinarra  174 Sep 25 18:10 oauth-apiserver.audit_logs_listing
drwxr-xr-x. 2 ramakasturinarra ramakasturinarra 4096 Sep 25 18:13 openshift-apiserver
-rw-r--r--. 1 ramakasturinarra ramakasturinarra  174 Sep 25 18:10 openshift-apiserver.audit_logs_listing
[ramakasturinarra@dhcp35-60 audit_logs]$ cd oauth-apiserver/
[ramakasturinarra@dhcp35-60 oauth-apiserver]$ ls -l
total 6836
-rw-r--r--. 1 ramakasturinarra ramakasturinarra 6331410 Sep 25 18:11 ip-10-0-155-142.ap-northeast-1.compute.internal-audit.log
-rw-r--r--. 1 ramakasturinarra ramakasturinarra  328199 Sep 25 18:11 ip-10-0-187-116.ap-northeast-1.compute.internal-audit.log.gz
-rw-r--r--. 1 ramakasturinarra ramakasturinarra  335209 Sep 25 18:11 ip-10-0-195-170.ap-northeast-1.compute.internal-audit.log.gz


Based on the above moving the bug to verified state.

Comment 13 errata-xmlrpc 2020-10-27 16:21:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Note You need to log in before you can comment on or make changes to this bug.