This component accesses APIs that will be removed in 4.9 (Kubernetes 1.22). It is causing the DeprecatedAPIInUse alert to fire in every 4.8 clusters permanently and hence must be fixed in 4.8 (blocker+).
The raw audit data can be found at https://gist.github.com/sttts/50a1429837f2448ce07f30174fa73cdb.
Here are the observed requests for this component:
system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/configs.samples.operator.openshift.io
Created attachment 1770482[details]
alert screen shot
Created attachment 1770482[details]
alert screen shot
Description of problem:
8 DeprecatedAPIInUse info alerts display
Version-Release number of selected component (if applicable):
4.8.0-0.nightly-2021-04-08-200632
How reproducible:
always
Steps to Reproduce:
1. open console-monitoring-alerts
2.
3.
Actual results:
8 DeprecatedAPIInUse info alerts display
Expected results:
No other alerts display except watchdog
Additional info:
alert rule metrics:
group by(group, version, resource) (apiserver_requested_deprecated_apis{removed_release="1.22"}) and (sum by(group, version, resource) (rate(apiserver_request_total[10m]))) > 0
Element Value:
{group="rbac.authorization.k8s.io",resource="roles",version="v1beta1"} 1
{group="admissionregistration.k8s.io",resource="mutatingwebhookconfigurations",version="v1beta1"} 1
{group="admissionregistration.k8s.io",resource="validatingwebhookconfigurations",version="v1beta1"} 1
{group="apiextensions.k8s.io",resource="customresourcedefinitions",version="v1beta1"} 1
{group="certificates.k8s.io",resource="certificatesigningrequests",version="v1beta1"} 1
{group="extensions",resource="ingresses",version="v1beta1"} 1
{group="rbac.authorization.k8s.io",resource="clusterrolebindings",version="v1beta1"} 1
{group="rbac.authorization.k8s.io",resource="rolebindings",version="v1beta1"} 1
----------------
# for i in roles mutatingwebhookconfigurations validatingwebhookconfigurations customresourcedefinitions certificatesigningrequests ingresses clusterrolebindings rolebindings; do oc api-resources | grep $i; echo -e "\n"; done
clusterroles authorization.openshift.io/v1 false ClusterRole
roles authorization.openshift.io/v1 true Role
clusterroles rbac.authorization.k8s.io/v1 false ClusterRole
roles rbac.authorization.k8s.io/v1 true Role
mutatingwebhookconfigurations admissionregistration.k8s.io/v1 false MutatingWebhookConfiguration
validatingwebhookconfigurations admissionregistration.k8s.io/v1 false ValidatingWebhookConfiguration
customresourcedefinitions crd,crds apiextensions.k8s.io/v1 false CustomResourceDefinition
certificatesigningrequests csr certificates.k8s.io/v1 false CertificateSigningRequest
ingresses config.openshift.io/v1 false Ingress
ingresses ing extensions/v1beta1 true Ingress
ingresses ing networking.k8s.io/v1 true Ingress
clusterrolebindings authorization.openshift.io/v1 false ClusterRoleBinding
clusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBinding
clusterrolebindings authorization.openshift.io/v1 false ClusterRoleBinding
rolebindings authorization.openshift.io/v1 true RoleBinding
clusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBinding
rolebindings rbac.authorization.k8s.io/v1 true RoleBinding
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2021:2438