Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1888308

Summary: p&f: make SAR traffic from oauth and openshift apiserver exempt
Product: OpenShift Container Platform Reporter: Abu Kashem <akashem>
Component: kube-apiserverAssignee: Stefan Schimanski <sttts>
Status: CLOSED DUPLICATE QA Contact: Ke Wang <kewang>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.5CC: aos-bugs, mfojtik, scuppett, xxia
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-14 14:57:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Abu Kashem 2020-10-14 14:37:58 UTC 
p&f: make SAR traffic from oauth and openshift apiserver exempt

This is what the flow schema would look like:
apiVersion: flowcontrol.apiserver.k8s.io/v1alpha1
kind: FlowSchema
metadata:
  name: openshift-oauth-apiserver-sar
spec:
  distinguisherMethod:
    type: ByUser
  matchingPrecedence: 2
  priorityLevelConfiguration:
    name: exempt
  rules:
  - resourceRules:
    - apiGroups:
      - authorization.k8s.io
      clusterScope: true
      namespaces:
      - '*'
      resources:
      - subjectaccessreviews
      verbs:
      - '*'
    - apiGroups:
      - authentication.k8s.io
      clusterScope: true
      namespaces:
      - '*'
      resources:
      - tokenreviews
      verbs:
      - '*'
    subjects:
    - kind: ServiceAccount
      serviceAccount:
        name: oauth-apiserver-sa
        namespace: openshift-oauth-apiserver
Comment 1 Stephen Cuppett 2020-10-14 14:57:54 UTC 

*** This bug has been marked as a duplicate of bug 1888309 ***