Bug 1974773 - Using bound SA tokens causes fail to query cluster resource especially in a sts cluster
Summary: Using bound SA tokens causes fail to query cluster resource especially in a s...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Standa Laznicka
QA Contact: liyao
Whiteboard: EmergencyRequest
: 1974788 (view as bug list)
Depends On: 1974716
TreeView+ depends on / blocked
Reported: 2021-06-22 14:15 UTC by Sergiusz Urbaniak
Modified: 2021-07-27 23:13 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1974716
Last Closed: 2021-07-27 23:13:39 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1160 0 None closed [release-4.8] Bug 1974773: SA token issuer observer: fix observing api-audiences 2021-06-24 12:01:23 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:13:53 UTC

Comment 1 Standa Laznicka 2021-06-22 14:45:02 UTC
*** Bug 1974788 has been marked as a duplicate of this bug. ***

Comment 3 wang lin 2021-06-24 05:24:20 UTC
Verified on 4.8.0-0.nightly-2021-06-23-232238

1. provide my own Authentication CR into cluster manifests
$ oc get Authentication cluster -o json | jq -r ".spec"
  "oauthMetadata": {
    "name": ""
  "serviceAccountIssuer": "https://a-lwansts-480-021932120336748-oidc.s3.us-east-2.amazonaws.com",
  "type": "",
  "webhookTokenAuthenticator": {
    "kubeConfig": {
      "name": "webhook-authentication-integrated-oauth"
2. launch an install
3. there is no longer Unauthorized keywords

Comment 6 errata-xmlrpc 2021-07-27 23:13:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.