check-endpoints tools is currently running using the credentials for the cert-syncer tool. It should use its own set of credentials.
Verification as below, $ oc version Client Version: 4.6.0-202009040605.p0-f2a4a03 Server Version: 4.6.0-0.nightly-2020-09-15-063156 Kubernetes Version: v1.19.0+35ab7c5 $ oc get ClusterRole/system:openshift:controller:check-endpoints NAME CREATED AT system:openshift:controller:check-endpoints 2020-09-15T11:53:20Z $ oc get ClusterRoleBinding/system:openshift:controller:kube-apiserver-check-endpoints NAME ROLE AGE system:openshift:controller:kube-apiserver-check-endpoints ClusterRole/system:auth-delegator 15h $ oc get RoleBinding/system:openshift:controller:kube-apiserver-check-endpoints -n kube-system NAME ROLE AGE system:openshift:controller:kube-apiserver-check-endpoints Role/extension-apiserver-authentication-reader 15h $ oc get RoleBinding/system:openshift:controller:check-endpoints -n openshift-kube-apiserver NAME ROLE AGE system:openshift:controller:check-endpoints ClusterRole/system:openshift:controller:check-endpoints 15h $ oc get pod kube-apiserver-kewang1565-9n24f-master-0 -n openshift-kube-apiserver -oyaml | grep -C2 "check-endpoints-kubeconfig" - args: - --kubeconfig - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig - --listen - 0.0.0.0:17697 $ oc get configmap/check-endpoints-kubeconfig -n openshift-kube-apiserver -o yaml | grep -C1 "check-endpoints" cluster: loopback user: check-endpoints name: check-endpoints current-context: check-endpoints kind: Config -- users: - name: check-endpoints user: client-certificate: /etc/kubernetes/static-pod-certs/secrets/check-endpoints-client-cert-key/tls.crt client-key: /etc/kubernetes/static-pod-certs/secrets/check-endpoints-client-cert-key/tls.key kind: ConfigMap -- time: "2020-09-15T11:53:24Z" name: check-endpoints-kubeconfig namespace: openshift-kube-apiserver resourceVersion: "5747" selfLink: /api/v1/namespaces/openshift-kube-apiserver/configmaps/check-endpoints-kubeconfig All changes were applied on kube-apiserver as expected, move the bug verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196