1959293 – openshift-oauth-apiserver:oauth-apiserver-sa should not rely on external networking for health check

Bug 1959293 - openshift-oauth-apiserver:oauth-apiserver-sa should not rely on external networking for health check [NEEDINFO]

Summary: openshift-oauth-apiserver:oauth-apiserver-sa should not rely on external netw...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	oauth-apiserver
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Standa Laznicka
QA Contact:	Xingxing Xia
Docs Contact:
URL:
Whiteboard:	LifecycleStale
Duplicates (1):	1954038 (view as bug list)
Depends On:	1959285 1959290 1959291 1959292
Blocks:	1959294
TreeView+	depends on / blocked

Reported:	2021-05-11 08:22 UTC by Rom Freiman
Modified:	2021-11-05 11:55 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1959292
Clones:	1959294 (view as bug list)
Environment:
Last Closed:	2021-07-30 10:43:49 UTC
Target Upstream Version:
Embargoed:
Flags:	mfojtik: needinfo?

Attachments	(Terms of Use)

Description Rom Freiman 2021-05-11 08:22:11 UTC

+++ This bug was initially created as a clone of Bug #1959292 +++

+++ This bug was initially created as a clone of Bug #1959291 +++

+++ This bug was initially created as a clone of Bug #1959290 +++

+++ This bug was initially created as a clone of Bug #1959285 +++

Apparently, openshift-oauth-apiserver:oauth-apiserver-sa has dependency on SAR as part of it's healthcheck, which causes it to be restarted in case of kubeapi rollout in SNO.


How reproducible:

User cluster-bot:
1. launch nightly aws,single-node
2. Update audit log verbosity to: AllRequestBodies
3. Wait for api rollout (oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}')
4. reboot the node to cleanup the caches (oc debug node/ip-10-0-136-254.ec2.internal)
5. Wait
6. Grep the audit log: 

oc adm node-logs ip-10-0-128-254.ec2.internal --path=kube-apiserver/audit.log | grep -i health | grep -i subjectaccessreviews | grep -v Unhealth > rbac.log
cat rbac.log  | jq . -C | less -r | grep 'username' | sort | uniq



Actual results:
~/work/installer [master]> cat rbac.log  | jq . -C | less -r | grep 'username' | sort | uniq
    "username": "system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa"

Expected results:
It should not appear

Additional info:
Affects SNO stability upon api rollout (certificates rotation)

Comment 1 Michal Fojtik 2021-06-10 09:03:42 UTC

This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.

Comment 3 Michal Fojtik 2021-06-29 07:13:39 UTC

The LifecycleStale keyword was removed because the bug got commented on recently.
The bug assignee was notified.

Comment 4 Michal Fojtik 2021-07-29 08:09:01 UTC

This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.

Comment 5 Standa Laznicka 2021-07-30 10:43:49 UTC

The filter in the original comment is wrong (adding needinfo on the reporter to let them know).

The response matches the request to "/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas", not /healthz.

Comment 7 Antonio Ojea 2021-11-05 11:55:38 UTC

*** Bug 1954038 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.