Bug 1954773 - OVN: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component does not trigger APIRemovedInNextReleaseInUse alert [NEEDINFO]
Summary: OVN: check (see bug 1947801#c4 steps) audit log to find deprecated API access...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Jacob Tanenbaum
QA Contact: Anurag saxena
Depends On:
Blocks: 1947719
TreeView+ depends on / blocked
Reported: 2021-04-28 18:37 UTC by David Eads
Modified: 2021-07-27 23:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-07-27 23:04:34 UTC
Target Upstream Version:
fpaoline: needinfo? (jtanenba)

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 1095 0 None closed Bug 1954773: update the cno to use the egressfirewall flag 2021-06-01 05:47:36 UTC
Github openshift ovn-kubernetes pull 541 0 None closed Bug 1954773: adding cli flag for egressfirewall and removing CRD watcher 2021-05-31 10:49:57 UTC
Github ovn-org ovn-kubernetes pull 2192 0 None closed change egressFirewall to be enabled with a cli flag 2021-05-31 10:50:03 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:05:00 UTC

Description David Eads 2021-04-28 18:37:46 UTC
user/system:serviceaccount:openshift-ovn-kubernetes:ovn-kubernetes-controller accessed customresourcedefinitions.v1beta1.apiextensions.k8s.io 34 times

This blocks upgrade to 4.9, because when the kube-apiserver upgrades to 4.9, the endpoint used by the operator in 4.8 (kube-apiserver upgrades first) will stop functioning.  Many clusters get stuck in this state and running skewed fails.

Comment 1 Federico Paolinelli 2021-05-10 08:37:55 UTC
@jtanenba moving this to you since you added the PR that is gonna fix it upstream (https://github.com/ovn-org/ovn-kubernetes/pull/2192).

Comment 2 Stefan Schimanski 2021-06-01 05:47:53 UTC
All merged.

Comment 4 Xingxing Xia 2021-06-02 10:49:37 UTC
Verified in OVN 4.8.0-0.nightly-2021-06-02-025513 env:
$ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'`
$ for i in $MASTERS; do oc debug no/$i -- chroot /host bash -c "grep -hE '"'"k8s.io/removed-release":"[^"]+"'"' /var/log/kube-apiserver/audit*.log" ; done > all.log
$ grep '"k8s.io/removed-release":"1.22"' all.log > 1.22.log
$ jq -r '.user.username+": "+.requestURI' 1.22.log | sed 's/=[0-9][^&]*/=***/g' | sort | uniq -c | sort -n > 1.22.removed.apis
$ cat 1.22.removed.apis
No above system:serviceaccount:openshift-ovn-kubernetes ... accessed any deprecated APIs.

Comment 7 errata-xmlrpc 2021-07-27 23:04:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.