Bug 1954768 - baremetal-operator: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert
Summary: baremetal-operator: check (see bug 1947801#c4 steps) audit log to find deprec...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Bare Metal Hardware Provisioning
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.8.0
Assignee: Angus Salkeld
QA Contact: Ori Michaeli
URL:
Whiteboard:
Depends On:
Blocks: 1947719
TreeView+ depends on / blocked
 
Reported: 2021-04-28 18:29 UTC by David Eads
Modified: 2021-07-27 23:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:04:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-baremetal-operator pull 141 0 None open Bug 1954768: Use AdmissionRegistration v1 not v1beta1 as it is going away 2021-05-04 23:42:15 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:05:00 UTC

Description David Eads 2021-04-28 18:29:09 UTC
user/system:serviceaccount:openshift-machine-api:cluster-baremetal-operator accessed validatingwebhookconfigurations.v1beta1.admissionregistration.k8s.io 1 times

This blocks upgrade to 4.9, because when the kube-apiserver upgrades to 4.9, the endpoint used by the operator in 4.8 (kube-apiserver upgrades first) will stop functioning.  Many clusters get stuck in this state and running skewed fails.

Comment 2 Xingxing Xia 2021-05-10 07:49:06 UTC
Verified in 4.8.0-0.nightly-2021-05-10-002052 :
$ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'`
$ for i in $MASTERS; do echo "$i"; oc debug no/$i -- chroot /host bash -c "grep -hE '"'"k8s.io/removed-release":"[^"]+"'"' /var/log/kube-apiserver/audit*.log" >> all.log ; done                                      
$ grep '"k8s.io/removed-release":"1.22"' all.log > 1.22.log                                      
$ jq -r '.user.username+": "+.requestURI' 1.22.log | sed 's/\?.*$//' | sort | uniq -c | sort -n
     92 system:serviceaccount:openshift-machine-config-operator:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions
     96 system:serviceaccount:openshift-machine-api:cluster-autoscaler-operator: /apis/admissionregistration.k8s.io/v1beta1/validatingwebhookconfigurations
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/clusteroperators.config.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/clusterversions.config.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/containerruntimeconfigs.machineconfiguration.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/credentialsrequests.cloudcredential.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/kubeletconfigs.machineconfiguration.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/machineconfigpools.machineconfiguration.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/machineconfigs.machineconfiguration.openshift.io
    105 system:serviceaccount:openshift-cluster-version:default: /apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindings/default-account-openshift-machine-config-operator
    105 system:serviceaccount:openshift-cluster-version:default: /apis/rbac.authorization.k8s.io/v1beta1/namespaces/openshift-machine-api/rolebindings/cluster-autoscaler-operator
    105 system:serviceaccount:openshift-cluster-version:default: /apis/rbac.authorization.k8s.io/v1beta1/namespaces/openshift-machine-api/roles/cluster-autoscaler-operator
    173 system:kube-controller-manager: /apis/extensions/v1beta1/ingresses
    339 system:serviceaccount:openshift-machine-config-operator:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/controllerconfigs.machineconfiguration.openshift.io

Did not find access to deprecated APIs related to baremetal operator

Comment 5 errata-xmlrpc 2021-07-27 23:04:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.