Bug 1954765 - CCO: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert
Summary: CCO: check (see bug 1947801#c4 steps) audit log to find deprecated API access...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.8.0
Assignee: Joel Diaz
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks: 1947719 1958492
TreeView+ depends on / blocked
 
Reported: 2021-04-28 18:23 UTC by David Eads
Modified: 2021-07-27 23:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1958492 (view as bug list)
Environment:
Last Closed: 2021-07-27 23:04:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 333 0 None closed Bug 1954765: v1beta1 to v1 mutatingwebhookconfiguration 2021-05-07 10:32:10 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:05:00 UTC

Description David Eads 2021-04-28 18:23:14 UTC
//user/system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator accessed mutatingwebhookconfigurations.v1beta1.admissionregistration.k8s.io 60 times

found in https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/26104/pull-ci-openshift-origin-master-e2e-aws-disruptive/1386733471304519680

Comment 1 David Eads 2021-04-28 18:24:06 UTC
This blocks upgrade to 4.9, because when the kube-apiserver upgrades to 4.9, the endpoint used by the cloud-credential operator in 4.8 (kube-apiserver upgrades first) will stop functioning.

Comment 4 wang lin 2021-05-07 02:20:34 UTC
Hi Joel, 
  I can see podidentity no longer access mutatingwebhookconfigurations.v1beta1.admissionregistration.k8s.io, but I see another api call to certificatesigningrequests.v1beta1.certificates.k8s.io, does this need to be fixed by us?



user/system:serviceaccount:openshift-cloud-credential-operator:pod-identity-webhook accessed certificatesigningrequests.v1beta1.certificates.k8s.io 23 times

found in https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/26104/pull-ci-openshift-origin-master-e2e-aws-disruptive/1390344110019186688

Comment 5 Stefan Schimanski 2021-05-07 10:32:43 UTC
Still seing

  user/system:serviceaccount:openshift-cloud-credential-operator:pod-identity-webhook accessed certificatesigningrequests.v1beta1.certificates.k8s.io 13 times

in [sig-arch][Late] clients should not use APIs that are removed in upcoming releases [Suite:openshift/conformance/parallel].

Comment 6 Joel Diaz 2021-05-07 16:36:14 UTC
@lwan let's open a new BZ for the certificatesigningrequests v1beta1. The fix for that is in another repo.

Comment 7 wang lin 2021-05-08 08:19:33 UTC
Filed a new one : https://bugzilla.redhat.com/show_bug.cgi?id=1958492 , move this one to Verified.

Comment 10 errata-xmlrpc 2021-07-27 23:04:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.