Bug 1959513 - Cluster-kube-apiserver does not use library-go for audit pkg
Summary: Cluster-kube-apiserver does not use library-go for audit pkg
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.8.0
Assignee: Stefan Schimanski
QA Contact: Ke Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-11 17:27 UTC by Emily Moss
Modified: 2021-07-27 23:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:07:53 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1089 0 None open bug 1959513: add default policy, use lib go audit 2021-05-11 17:34:39 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:08:11 UTC

Comment 2 Ke Wang 2021-06-07 09:32:58 UTC
Firstly , make sure the PR has been landed in latest payload,

$ oc adm release info --commits registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2021-06-06-164529 | grep kube-apiserver-operator
  cluster-kube-apiserver-operator                https://github.com/openshift/cluster-kube-apiserver-operator                a84657ee3c20a1c3af9ea1c7d6798b35fdc5be4f

$ git log --pretty="%h %an %cd - %s" a84657ee | grep '#1089 '
23103684 OpenShift Merge Robot Tue May 11 20:08:52 2021 -0400 - Merge pull request #1089 from EmilyM1/remove-audit-pkg-use-libgo

Then, change the audit profiles of apiserver to make sure the feature works fine.
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-06-06-164529   True        False         150m    Cluster version is 4.8.0-0.nightly-2021-06-06-164529

$ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "WriteRequestBodies"}}}' --type merge
apiserver.config.openshift.io/cluster patched

$ oc get apiserver/cluster -ojson | jq .spec.audit
{
  "profile": "WriteRequestBodies"
}

$ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "AllRequestBodies"}}}' --type merge
apiserver.config.openshift.io/cluster patched

$ oc get apiserver/cluster -ojson | jq .spec.audit
{
  "profile": "AllRequestBodies"
}

$  oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "Default"}}}' --type merge
apiserver.config.openshift.io/cluster patched

$ oc get apiserver/cluster -ojson | jq .spec.audit
{
  "profile": "Default"
}

After every profile applied, checked the audit log, the results as expected, so move the bug VERIFIED.

Comment 5 errata-xmlrpc 2021-07-27 23:07:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.