Description of problem: Auth tracker to switch to use flowcontrol.apiserver.k8s.io/v1beta2 instead v1beta1 to be deprecated in k8s 1.26, see: $ oc get apirequestcounts | grep -e NAME -e flowcontrol.apiserver.k8s.io NAME REMOVEDINRELEASE REQUESTSINCURRENTHOUR REQUESTSINLAST24H flowschemas.v1beta1.flowcontrol.apiserver.k8s.io 1.26 171 240 flowschemas.v1beta2.flowcontrol.apiserver.k8s.io 2235 3084 prioritylevelconfigurations.v1beta1.flowcontrol.apiserver.k8s.io 1.26 14 26 prioritylevelconfigurations.v1beta2.flowcontrol.apiserver.k8s.io 1520 2079 Using this bug for Auth component. Other components should create separate bugs. Version-Release number of selected component (if applicable): 4.11.0-0.nightly-2022-04-20-002931 How reproducible: Always Steps to Reproduce: 1. $ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'` 2. $ for i in $MASTERS; do oc debug no/$i -- chroot /host bash -c "grep -hE '"'"k8s.io/removed-release":"[^"]+"'"' /var/log/kube-apiserver/audit*.log" ; done > all.log 3. $ grep '"k8s.io/removed-release":"1.26"' all.log > 1.26.log 4. $ jq -r '.user.username+": "+.requestURI' 1.26.log | sed 's/=[0-9][^&]*/=***/g' | sort | uniq -c | sort -n > 1.26.removed.apis 5. $ cat 1.26.removed.apis Check auth specific requests for this bug to fix: 6. $ cat 1.26.removed.apis | grep auth Actual results: 5. `cat 1.26.removed.apis` shows below requests that are using apiversions to be deprecated in k8s 1.26, the beginning is the request number, followed by request user and requested URL: 1 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/prioritylevelconfigurations 1 system:serviceaccount:openshift-monitoring:kube-state-metrics: /apis/autoscaling/v2beta2/horizontalpodautoscalers?limit=***&resourceVersion=*** 9 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas 11 system:serviceaccount:openshift-monitoring:kube-state-metrics: /apis/autoscaling/v2beta2/horizontalpodautoscalers?allowWatchBookmarks=true&resourceVersion=***&timeout=***&timeoutSeconds=***&watch=true 18 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-authentication-operator 18 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-oauth-apiserver 18 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-oauth-apiserver-sar 18 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-oauth-server 20 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-apiserver 20 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-apiserver-operator 20 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-apiserver-sar 20 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-controller-manager 20 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-etcd-operator 20 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-kube-apiserver-operator 20 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-monitoring-metrics 20 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/prioritylevelconfigurations/openshift-control-plane-operators 29 system:serviceaccount:openshift-network-operator:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-sdn?fieldManager=cluster-network-operator%2Foperconfig&force=true 6. $ cat 1.26.removed.apis | grep auth 18 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-authentication-operator 18 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-oauth-apiserver 18 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-oauth-apiserver-sar 18 system:serviceaccount:openshift-cluster-version:default: /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/openshift-oauth-server The auth file to fix is: https://github.com/openshift/cluster-authentication-operator/blob/master/manifests/09_flowschema.yaml , as of now this bug is filed, its 4 objects still use: ``` apiVersion: flowcontrol.apiserver.k8s.io/v1beta1 kind: FlowSchema ... ``` Expected results: The components shown in above requests should switch to v1beta2.flowcontrol.apiserver.k8s.io. This bug tracks auth components. Additional info:
Dear reporter, we greatly appreciate the bug you have reported here. Unfortunately, due to migration to a new issue-tracking system (https://issues.redhat.com/), we cannot continue triaging bugs reported in Bugzilla. Since this bug has been stale for multiple days, we, therefore, decided to close this bug. If you think this is a mistake or this bug has a higher priority or severity as set today, please feel free to reopen this bug and tell us why. We are going to move every re-opened bug to https://issues.redhat.com. Thank you for your patience and understanding.