Bug 1958492 - CCO: pod-identity-webhook still accesses APIRemovedInNextReleaseInUse
Summary: CCO: pod-identity-webhook still accesses APIRemovedInNextReleaseInUse
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Joel Diaz
QA Contact: wang lin
Depends On: 1954765
Blocks: 1947719
TreeView+ depends on / blocked
Reported: 2021-05-08 08:15 UTC by wang lin
Modified: 2021-07-27 23:07 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1954765
Last Closed: 2021-07-27 23:07:32 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift aws-pod-identity-webhook pull 138 0 None open Bug 1958492: UPSTREAM: 115: certificatesigningrequests/v1beta1 to v1 2021-05-08 11:20:10 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:07:50 UTC

Description wang lin 2021-05-08 08:15:47 UTC
Description of problem:
user/system:serviceaccount:openshift-cloud-credential-operator:pod-identity-webhook accessed certificatesigningrequests.v1beta1.certificates.k8s.io 23 times which will be deprecated in the next release

found in https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/26104/pull-ci-openshift-origin-master-e2e-aws-disruptive/1390344110019186688

Actual results:
still accesses DeprecatedAPIInNextReleaseInUse

Expected results:
won't access DeprecatedAPIInNextReleaseInUse

Comment 2 wang lin 2021-05-10 06:14:12 UTC
Verified on 4.8.0-0.nightly-2021-05-09-105430, pod-identity-webhook no longer accesses certificatesigningrequests.v1beta1.certificates.k8s.io. Here is the verification steps:

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-05-09-105430   True        False         173m    Cluster version is 4.8.0-0.nightly-2021-05-09-105430

$ masters=$(oc get no -l node-role.kubernetes.io/master | sed '1d' | awk '{print $1}')

$ oc adm node-logs $masters --path=kube-apiserver/audit.log --raw | grep -e '"k8s.io/removed-release":"1.22"' | tee dep.json

$ cat dep.json | jq -r '.user.username+": "+.requestURI' | sort | uniq | grep pod-identity
Nothing can be found.

Comment 5 errata-xmlrpc 2021-07-27 23:07:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.