1974773 – Using bound SA tokens causes fail to query cluster resource especially in a sts cluster

Bug 1974773 - Using bound SA tokens causes fail to query cluster resource especially in a sts cluster

Summary: Using bound SA tokens causes fail to query cluster resource especially in a s...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Standa Laznicka
QA Contact:	liyao
Docs Contact:
URL:
Whiteboard:	EmergencyRequest
Duplicates (1):	1974788 (view as bug list)
Depends On:	1974716
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-22 14:15 UTC by Sergiusz Urbaniak
Modified:	2021-07-27 23:13 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1974716
Environment:
Last Closed:	2021-07-27 23:13:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-kube-apiserver-operator pull 1160	0	None	closed	[release-4.8] Bug 1974773: SA token issuer observer: fix observing api-audiences	2021-06-24 12:01:23 UTC
Red Hat Product Errata	RHSA-2021:2438	0	None	None	None	2021-07-27 23:13:53 UTC

Comment 1 Standa Laznicka 2021-06-22 14:45:02 UTC

*** Bug 1974788 has been marked as a duplicate of this bug. ***

Comment 3 wang lin 2021-06-24 05:24:20 UTC

Verified on 4.8.0-0.nightly-2021-06-23-232238

1. provide my own Authentication CR into cluster manifests
$ oc get Authentication cluster -o json | jq -r ".spec"
{
  "oauthMetadata": {
    "name": ""
  },
  "serviceAccountIssuer": "https://a-lwansts-480-021932120336748-oidc.s3.us-east-2.amazonaws.com",
  "type": "",
  "webhookTokenAuthenticator": {
    "kubeConfig": {
      "name": "webhook-authentication-integrated-oauth"
    }
  }
}
2. launch an install
3. there is no longer Unauthorized keywords

Comment 6 errata-xmlrpc 2021-07-27 23:13:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.