Refer to the bug 1947801#c4 steps, still found the following api request from /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/credentialsrequests.cloudcredential.openshift.io, $ cat dep.json | jq -r '.user.username+": "+.requestURI' | sort | uniq | grep customresourcedefinitions system:serviceaccount:openshift-cluster-version:default: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/credentialsrequests.cloudcredential.openshift.io
Hi Ke, Based on comment 1, I think it's the version of the `apiextensions.k8s.io` is using "v1beta1" that not allowed. Since the APIService is aggregated API that managed by the APIServer, I transfer this bug to the Master team. mac:~ jianzhang$ oc get apiservice | grep -i apiextensions v1.apiextensions.k8s.io Local True 6h46m v1beta1.apiextensions.k8s.io Local True 6h46m mac:~ jianzhang$ oc get apiservice v1beta1.apiextensions.k8s.io -o yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: creationTimestamp: "2021-05-31T02:54:37Z" labels: kube-aggregator.kubernetes.io/automanaged: onstart name: v1beta1.apiextensions.k8s.io resourceVersion: "6" uid: 5a77c1f3-dfb7-4be5-9205-3bd44a1d7ee3 spec: group: apiextensions.k8s.io groupPriorityMinimum: 16700 version: v1beta1 versionPriority: 9 status: conditions: - lastTransitionTime: "2021-05-31T02:54:37Z" message: Local APIServices are always available reason: Local status: "True" type: Available
Agree with Jian Zhang's checking, will close this bug, still using the original bug 1952049 to track this. Close the bug with duplication. *** This bug has been marked as a duplicate of bug 1952049 ***
Jian Zhang, Ke Wang : this is NOT an issue of apiserver, also NOT an issue of original Helm bug, rather, it is issue of credentialsrequests that is defined as v1beta1 CRD. *** This bug has been marked as a duplicate of bug 1957446 ***