@luis PR is not yet merged into openshift:release-4.10 branch yet. Please merge the changes. oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2022-03-09-224546 True False 18m Cluster version is 4.10.0-0.nightly-2022-03-09-224546 kas_pod=$(oc get pods -n openshift-kube-apiserver | grep 'apiserver' | grep -v 'guard'| awk 'NR==1{print $1}') rahulgangwar@rgangwar-mac verification-tests % oc exec -n openshift-kube-apiserver $kas_pod -- cat /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/policy.yaml | grep -A5 "group: apiserver" Defaulting container name to kube-apiserver. Use 'oc describe pod/kube-apiserver-rgangwar-10de1-gzmw8-master-0.c.openshift-qe.internal -n openshift-kube-apiserver' to see all of the containers in this pod. Not able to find the apirequestcount definition in policy.yaml file in 4.10 as below in 4.11. oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2022-02-27-122819 True False 5h38m Cluster version is 4.11.0-0.nightly-2022-02-27-122819 $ kas_pod=$(oc get pods -n openshift-kube-apiserver | grep 'apiserver' | grep -v 'guard'| awk 'NR==1{print $1}') $ oc exec -n openshift-kube-apiserver $kas_pod -- cat /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/policy.yaml | grep -A5 "group: apiserver" - group: apiserver.openshift.io resources: - apirequestcounts - apirequestcounts/* users: - system:apiserver
Inline tests are performed in fixed build with different kube-apiserver cluster profiles. Step 1 : Get the cluster version $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2022-07-25-110002 True False 22m Cluster version is 4.10.0-0.nightly-2022-07-25-110002 Step 2 : Check the apirequestcount definition in policy.yaml file. $ kas_pod=$(oc get pods -n openshift-kube-apiserver | grep 'apiserver' | grep -v 'guard'| awk 'NR==1{print $1}') $ oc exec -n openshift-kube-apiserver $kas_pod -- cat /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/policy.yaml | grep -A5 "group: apiserver" - group: apiserver.openshift.io resources: - apirequestcounts - apirequestcounts/* users: - system:apiserver Step 3 : Run inline script to check the "apirequestcount" presence in logs. $ cat check_and_filter_apirequestcount.sh PATTERN="apirequestcount" PATTERN_SECOND="system:apiserver" PATTERN_EXCLUDE="customresourcedefinitions" KAS_PODS=$(oc get pods -n openshift-kube-apiserver | grep 'apiserver' | grep -v 'guard'| awk '{print $1}') for i in $KAS_PODS; do oc exec -n openshift-kube-apiserver $i -- grep -iEr $PATTERN /var/log/kube-apiserver | grep $PATTERN_SECOND | grep -v $PATTERN_EXCLUDE || true done > kas_auditlog_api.log Step 4 : Checks with "default" cluster profile. $ oc get apiserver/cluster -ojson | jq .spec.audit { "profile": "Default" } $ sh check_and_filter_apirequestcount.sh $ cat kas_auditlog_api.log | wc -l 0 Step 5 : Repeat Step-3 checks with "WriteRequestBodies" profile. $ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "WriteRequestBodies"}}}' --type merge apiserver.config.openshift.io/cluster patched $ oc get apiserver/cluster -ojson | jq .spec.audit { "profile": "WriteRequestBodies" } $ sh check_and_filter_apirequestcount.sh $ cat kas_auditlog_api.log | wc -l 0 Step 6 : Repeat Step-3 checks with "AllRequestBodies" profile. $ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "AllRequestBodies"}}}' --type merge apiserver.config.openshift.io/cluster patched $ oc get apiserver/cluster -ojson | jq .spec.audit { "profile": "AllRequestBodies" } $ sh check_and_filter_apirequestcount.sh $ cat kas_auditlog_api.log | wc -l 0 Step 7 : Repeat Step-3 checks with "None" profile. $ oc patch apiserver cluster -p '{"spec": {"audit": {"profile": "None"}}}' --type merge apiserver.config.openshift.io/cluster patched $ oc get apiserver/cluster -ojson | jq .spec.audit { "profile": "None" } $ sh check_and_filter_apirequestcount.sh $ cat kas_auditlog_api.log | wc -l 0 From above step results, In any of the kube-apiserver supported profiles, the request entries w.r.t apirequestcounts requests made by system:apiserver not part of audit logs. Hence moved bug to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.25 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5730