1965947 – CCO: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert

Bug 1965947 - CCO: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert

Summary: CCO: check (see bug 1947801#c4 steps) audit log to find deprecated API access...

Keywords:
Status:	CLOSED DUPLICATE of bug 1957446
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Cloud Credential Operator
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Devan Goodwin
QA Contact:	wang lin
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-31 08:20 UTC by Ke Wang
Modified:	2021-06-02 07:09 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-31 10:58:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 1 Ke Wang 2021-05-31 08:21:53 UTC

Refer to the bug 1947801#c4 steps, still found the following api request from /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/credentialsrequests.cloudcredential.openshift.io,
$ cat dep.json | jq -r '.user.username+": "+.requestURI' | sort | uniq | grep customresourcedefinitions
system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/credentialsrequests.cloudcredential.openshift.io

Comment 2 Jian Zhang 2021-05-31 09:47:02 UTC

Hi Ke,

Based on comment 1, I think it's the version of the `apiextensions.k8s.io` is using "v1beta1" that not allowed. Since the APIService is aggregated API that managed by the APIServer, I transfer this bug to the Master team.

mac:~ jianzhang$ oc get apiservice | grep -i apiextensions
v1.apiextensions.k8s.io                       Local                                                        True        6h46m
v1beta1.apiextensions.k8s.io                  Local                                                        True        6h46m

mac:~ jianzhang$ oc get apiservice v1beta1.apiextensions.k8s.io  -o yaml 
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  creationTimestamp: "2021-05-31T02:54:37Z"
  labels:
    kube-aggregator.kubernetes.io/automanaged: onstart
  name: v1beta1.apiextensions.k8s.io
  resourceVersion: "6"
  uid: 5a77c1f3-dfb7-4be5-9205-3bd44a1d7ee3
spec:
  group: apiextensions.k8s.io
  groupPriorityMinimum: 16700
  version: v1beta1
  versionPriority: 9
status:
  conditions:
  - lastTransitionTime: "2021-05-31T02:54:37Z"
    message: Local APIServices are always available
    reason: Local
    status: "True"
    type: Available

Comment 3 Ke Wang 2021-05-31 10:58:26 UTC

Agree with Jian Zhang's checking, will close this bug, still using the original bug 1952049 to track this. Close the bug with duplication.

*** This bug has been marked as a duplicate of bug 1952049 ***

Comment 4 Xingxing Xia 2021-06-02 07:09:03 UTC

Jian Zhang, Ke Wang : this is NOT an issue of apiserver, also NOT an issue of original Helm bug, rather, it is issue of credentialsrequests that is defined as v1beta1 CRD.

*** This bug has been marked as a duplicate of bug 1957446 ***

Note You need to log in before you can comment on or make changes to this bug.