Test steps: 1. Make audit logs contain request/response bodies: $ oc patch apiserver/cluster --type=merge -p '{"spec": {"audit": {"profile": "AllRequestBodies"}}}' Wait for KAS/OAS/OauthAs pods to finish rotation. 2. Make requests to be audited of resources that belong to oauth-apiserver: $ oc login -u USER -p PASSWORD 3. Check oauth-apiserver audit logs: PATTERN="managedFields" MASTERS=`oc get no | grep master | grep -o '^[^ ]*'` for i in $MASTERS; do oc debug no/$i -- chroot /host bash -c "grep -hE '$PATTERN' /var/log/oauth-apiserver/audit*.log || true" done > audit-oauth-apiserver.log Ran above test steps against 4.9, audit-oauth-apiserver.logs did not drop managedFields: {"kind":"Event",...,"responseObject":{"kind":"OAuthAuthorizeToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~_...",...,"managedFields":[{"manager":"oauth-server"... This is expected, because 4.9 oauth-apiserver does not implement the dropping. However, ran above steps against latest 4.10.0-0.nightly-2022-01-26-234447, oauth-apiserver audit logs still did not drop managedFields: {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse",...,"requestURI":"/apis/user.openshift.io/v1/users/testuser-13","verb":"get","user":{"username":"system:apiserver",...,"responseObject":{"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"testuser-13",...,"managedFields":[{"manager":"oauth-server","operation":"Update",... But checked: $ oc get cm -n openshift-oauth-apiserver audit -o yaml apiVersion: v1 data: policy.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy metadata: creationTimestamp: null name: policy omitManagedFields: true ... It already defines omitManagedFields as true. This result means omitManagedFields as 'true' does not take effect in dropping "managedFields" in audit logs.
@xxia I can't seem to reproduce on 4.11 (4.11.0-0.ci-2022-04-29-080325). Would you mind to check again, so that we can close?
Pierre, tested in 4.11 (4.11.0-0.nightly-2022-05-05-015322) with above steps, it works well and does not have the issue. Double tested 4.10 again (4.10.0-0.nightly-2022-05-06-010401), it still has the issue: $ oc login -u testuser-13 Check oauth-apiserver audit logs: $ PATTERN="managedFields" $ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'` $ for i in $MASTERS; do oc debug no/$i -- chroot /host bash -c "grep -hE '$PATTERN' /var/log/oauth-apiserver/audit*.log || true" done > audit-oauth-apiserver_4.10_test_again.log $ cat audit-oauth-apiserver_4.10_test_again.log {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"26bf867a-60a3-4d8e-a62b-9685d0f9c4d9","stage":"ResponseComplete","requestURI":"/apis/user.openshift.io/v1/identities","verb":"create","user":{"username":"system:serviceaccount:openshift-authentication:oauth-openshift","groups":["system:serviceaccounts","system:serviceaccounts:openshift-authentication","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["oauth-openshift-b68f59c99-r8bz5"],"authentication.kubernetes.io/pod-uid":["c178e769-ad21-4066-84ab-1abbb271961b"]}},"sourceIPs":["10.0.135.123","10.129.0.1"],"userAgent":"oauth-server/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"identities","name":"flexy-htpasswd-provider:testuser-13","apiGroup":"user.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Identity","apiVersion":"user.openshift.io/v1","metadata":{"name":"flexy-htpasswd-provider:testuser-13","creationTimestamp":null},"providerName":"flexy-htpasswd-provider","providerUserName":"testuser-13","user":{"name":"testuser-13","uid":"c1046d6a-9529-486d-bc0e-f81c31c033e1"}},"responseObject":{"kind":"Identity","apiVersion":"user.openshift.io/v1","metadata":{"name":"flexy-htpasswd-provider:testuser-13","uid":"a9d37da6-2f15-4689-9441-b72781505810","resourceVersion":"58904","creationTimestamp":"2022-05-06T10:09:29Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"user.openshift.io/v1","time":"2022-05-06T10:09:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:providerName":{},"f:providerUserName":{},"f:user":{}}}]},"providerName":"flexy-htpasswd-provider","providerUserName":"testuser-13","user":{"name":"testuser-13","uid":"c1046d6a-9529-486d-bc0e-f81c31c033e1"}},"requestReceivedTimestamp":"2022-05-06T10:09:29.613246Z","stageTimestamp":"2022-05-06T10:09:29.629455Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-authentication\" of ClusterRole \"cluster-admin\" to ServiceAccount \"oauth-openshift/openshift-authentication\""}} {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8bafc8a4-ed8a-4d1a-9cc8-32538eac126b","stage":"ResponseComplete","requestURI":"/apis/oauth.openshift.io/v1/oauthauthorizetokens","verb":"create","user":{"username":"system:serviceaccount:openshift-authentication:oauth-openshift","groups":["system:serviceaccounts","system:serviceaccounts:openshift-authentication","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["oauth-openshift-b68f59c99-r8bz5"],"authentication.kubernetes.io/pod-uid":["c178e769-ad21-4066-84ab-1abbb271961b"]}},"sourceIPs":["10.0.135.123","10.129.0.1"],"userAgent":"oauth-server/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"oauthauthorizetokens","name":"sha256~2ze0U5zocUK0v-GTUZhNNQ1a3ZAD9u5JMD4k0khAXEc","apiGroup":"oauth.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"OAuthAuthorizeToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~2ze0U5zocUK0v-GTUZhNNQ1a3ZAD9u5JMD4k0khAXEc","creationTimestamp":null},"clientName":"openshift-challenging-client","expiresIn":300,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","codeChallenge":"TAGxO_wH_v6hJWlPm2tqOQ_rX8Wu6cqZmn-qWuohz5U","codeChallengeMethod":"S256"},"responseObject":{"kind":"OAuthAuthorizeToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~2ze0U5zocUK0v-GTUZhNNQ1a3ZAD9u5JMD4k0khAXEc","uid":"6d9c36ba-2f99-4d29-a250-c0524988fc26","resourceVersion":"58905","creationTimestamp":"2022-05-06T10:09:29Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"oauth.openshift.io/v1","time":"2022-05-06T10:09:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:clientName":{},"f:codeChallenge":{},"f:codeChallengeMethod":{},"f:expiresIn":{},"f:redirectURI":{},"f:scopes":{},"f:userName":{},"f:userUID":{}}}]},"clientName":"openshift-challenging-client","expiresIn":300,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","codeChallenge":"TAGxO_wH_v6hJWlPm2tqOQ_rX8Wu6cqZmn-qWuohz5U","codeChallengeMethod":"S256"},"requestReceivedTimestamp":"2022-05-06T10:09:29.637719Z","stageTimestamp":"2022-05-06T10:09:29.648750Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-authentication\" of ClusterRole \"cluster-admin\" to ServiceAccount \"oauth-openshift/openshift-authentication\""}} {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d1a9ed04-e9f7-4ba4-bacc-5e8be76fb2c6","stage":"ResponseComplete","requestURI":"/apis/oauth.openshift.io/v1/oauthaccesstokens","verb":"create","user":{"username":"system:serviceaccount:openshift-authentication:oauth-openshift","groups":["system:serviceaccounts","system:serviceaccounts:openshift-authentication","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["oauth-openshift-b68f59c99-r8bz5"],"authentication.kubernetes.io/pod-uid":["c178e769-ad21-4066-84ab-1abbb271961b"]}},"sourceIPs":["10.0.135.123","10.129.0.1"],"userAgent":"oauth-server/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"oauthaccesstokens","name":"sha256~bT09ntIOWXkw_AbHxukSokLsbcxW58VCAgMx1zZ6aU4","apiGroup":"oauth.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"OAuthAccessToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~bT09ntIOWXkw_AbHxukSokLsbcxW58VCAgMx1zZ6aU4","creationTimestamp":null},"clientName":"openshift-challenging-client","expiresIn":86400,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","authorizeToken":"sha256~ua32P8k-C2RMNDAj4gk-x-5slEtGJ3m9-P-qUXhKQ6Y"},"responseObject":{"kind":"OAuthAccessToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~bT09ntIOWXkw_AbHxukSokLsbcxW58VCAgMx1zZ6aU4","uid":"b65684b5-798a-4051-aa39-94dc1c3ebc89","resourceVersion":"58906","creationTimestamp":"2022-05-06T10:09:29Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"oauth.openshift.io/v1","time":"2022-05-06T10:09:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:authorizeToken":{},"f:clientName":{},"f:expiresIn":{},"f:redirectURI":{},"f:scopes":{},"f:userName":{},"f:userUID":{}}}]},"clientName":"openshift-challenging-client","expiresIn":86400,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","authorizeToken":"sha256~ua32P8k-C2RMNDAj4gk-x-5slEtGJ3m9-P-qUXhKQ6Y"},"requestReceivedTimestamp":"2022-05-06T10:09:29.685242Z","stageTimestamp":"2022-05-06T10:09:29.695344Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-authentication\" of ClusterRole \"cluster-admin\" to ServiceAccount \"oauth-openshift/openshift-authentication\""}} ... This bug ID was used to track 4.10, it still has the bug, not sure if 4.10 needs fix.
I am going to close this report, as the issue is fixed in 4.11. As for 4.10, my understanding is that the impact is mild enough that it doesn't require a backport.
Thank you!