Bug 1868801 - check-endpoints should use minimal credentials
Summary: check-endpoints should use minimal credentials
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.0
Assignee: Luis Sanchez
QA Contact: Ke Wang
Depends On:
TreeView+ depends on / blocked
Reported: 2020-08-13 20:19 UTC by Luis Sanchez
Modified: 2020-09-16 03:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 931 None closed Bug 1868801: check-endpoints should use minimal credentials 2020-09-15 10:30:04 UTC

Description Luis Sanchez 2020-08-13 20:19:49 UTC
check-endpoints tools is currently running using the credentials for the cert-syncer tool. It should use its own set of credentials.

Comment 3 Ke Wang 2020-09-16 03:47:39 UTC
Verification as below,

$ oc version
Client Version: 4.6.0-202009040605.p0-f2a4a03
Server Version: 4.6.0-0.nightly-2020-09-15-063156
Kubernetes Version: v1.19.0+35ab7c5

$ oc get ClusterRole/system:openshift:controller:check-endpoints
NAME                                          CREATED AT
system:openshift:controller:check-endpoints   2020-09-15T11:53:20Z

$ oc get ClusterRoleBinding/system:openshift:controller:kube-apiserver-check-endpoints
NAME                                                         ROLE                                AGE
system:openshift:controller:kube-apiserver-check-endpoints   ClusterRole/system:auth-delegator   15h

$ oc get RoleBinding/system:openshift:controller:kube-apiserver-check-endpoints -n kube-system
NAME                                                         ROLE                                             AGE
system:openshift:controller:kube-apiserver-check-endpoints   Role/extension-apiserver-authentication-reader   15h

$ oc get RoleBinding/system:openshift:controller:check-endpoints -n openshift-kube-apiserver
NAME                                          ROLE                                                      AGE
system:openshift:controller:check-endpoints   ClusterRole/system:openshift:controller:check-endpoints   15h

$ oc get pod kube-apiserver-kewang1565-9n24f-master-0 -n openshift-kube-apiserver -oyaml | grep -C2 "check-endpoints-kubeconfig"
  - args:
    - --kubeconfig
    - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig
    - --listen
$ oc get configmap/check-endpoints-kubeconfig -n openshift-kube-apiserver -o yaml | grep -C1 "check-endpoints"
          cluster: loopback
          user: check-endpoints
        name: check-endpoints
    current-context: check-endpoints
    kind: Config
      - name: check-endpoints
          client-certificate: /etc/kubernetes/static-pod-certs/secrets/check-endpoints-client-cert-key/tls.crt
          client-key: /etc/kubernetes/static-pod-certs/secrets/check-endpoints-client-cert-key/tls.key
kind: ConfigMap
    time: "2020-09-15T11:53:24Z"
  name: check-endpoints-kubeconfig
  namespace: openshift-kube-apiserver
  resourceVersion: "5747"
  selfLink: /api/v1/namespaces/openshift-kube-apiserver/configmaps/check-endpoints-kubeconfig

All changes were applied on kube-apiserver as expected, move the bug verified.

Note You need to log in before you can comment on or make changes to this bug.