Description of problem: user/system:serviceaccount:openshift-cloud-credential-operator:pod-identity-webhook accessed certificatesigningrequests.v1beta1.certificates.k8s.io 23 times which will be deprecated in the next release found in https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/26104/pull-ci-openshift-origin-master-e2e-aws-disruptive/1390344110019186688 Actual results: still accesses DeprecatedAPIInNextReleaseInUse Expected results: won't access DeprecatedAPIInNextReleaseInUse
Verified on 4.8.0-0.nightly-2021-05-09-105430, pod-identity-webhook no longer accesses certificatesigningrequests.v1beta1.certificates.k8s.io. Here is the verification steps: $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-05-09-105430 True False 173m Cluster version is 4.8.0-0.nightly-2021-05-09-105430 $ masters=$(oc get no -l node-role.kubernetes.io/master | sed '1d' | awk '{print $1}') $ oc adm node-logs $masters --path=kube-apiserver/audit.log --raw | grep -e '"k8s.io/removed-release":"1.22"' | tee dep.json $ cat dep.json | jq -r '.user.username+": "+.requestURI' | sort | uniq | grep pod-identity Nothing can be found.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438