Bug 1954773 - OVN: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component does not trigger APIRemovedInNextReleaseInUse alert
Summary: OVN: check (see bug 1947801#c4 steps) audit log to find deprecated API access...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.8.0
Assignee: Jacob Tanenbaum
QA Contact: Anurag saxena
URL:
Whiteboard:
Depends On:
Blocks: 1947719
TreeView+ depends on / blocked
 
Reported: 2021-04-28 18:37 UTC by David Eads
Modified: 2023-09-15 01:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:04:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 1095 0 None closed Bug 1954773: update the cno to use the egressfirewall flag 2021-06-01 05:47:36 UTC
Github openshift ovn-kubernetes pull 541 0 None closed Bug 1954773: adding cli flag for egressfirewall and removing CRD watcher 2021-05-31 10:49:57 UTC
Github ovn-org ovn-kubernetes pull 2192 0 None closed change egressFirewall to be enabled with a cli flag 2021-05-31 10:50:03 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:05:00 UTC

Description David Eads 2021-04-28 18:37:46 UTC 
user/system:serviceaccount:openshift-ovn-kubernetes:ovn-kubernetes-controller accessed customresourcedefinitions.v1beta1.apiextensions.k8s.io 34 times

This blocks upgrade to 4.9, because when the kube-apiserver upgrades to 4.9, the endpoint used by the operator in 4.8 (kube-apiserver upgrades first) will stop functioning.  Many clusters get stuck in this state and running skewed fails.
Comment 1 Federico Paolinelli 2021-05-10 08:37:55 UTC 
@jtanenba moving this to you since you added the PR that is gonna fix it upstream (https://github.com/ovn-org/ovn-kubernetes/pull/2192).
Comment 2 Stefan Schimanski 2021-06-01 05:47:53 UTC 
All merged.
Comment 4 Xingxing Xia 2021-06-02 10:49:37 UTC 
Verified in OVN 4.8.0-0.nightly-2021-06-02-025513 env:
$ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'`
$ for i in $MASTERS; do oc debug no/$i -- chroot /host bash -c "grep -hE '"'"k8s.io/removed-release":"[^"]+"'"' /var/log/kube-apiserver/audit*.log" ; done > all.log
$ grep '"k8s.io/removed-release":"1.22"' all.log > 1.22.log
$ jq -r '.user.username+": "+.requestURI' 1.22.log | sed 's/=[0-9][^&]*/=***/g' | sort | uniq -c | sort -n > 1.22.removed.apis
$ cat 1.22.removed.apis
No above system:serviceaccount:openshift-ovn-kubernetes ... accessed any deprecated APIs.
Comment 7 errata-xmlrpc 2021-07-27 23:04:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Comment 8 Red Hat Bugzilla 2023-09-15 01:05:51 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.