2149627 – Deprecated gpu-operator API call

Bug 2149627 - Deprecated gpu-operator API call

Summary: Deprecated gpu-operator API call

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Virtualization
Sub Component:
Version:	4.11.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.13.1
Assignee:	Vladik Romanovsky
QA Contact:	Kedar Bidarkar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-30 12:45 UTC by Yossi Segev
Modified:	2023-10-19 04:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-06-20 13:41:05 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	NVIDIA gpu-operator issues 451	None	open	gpu-operator - deprecated API 1.25 call in audit log	2023-01-11 19:26:12 UTC
Red Hat Issue Tracker	CNV-23024	None	None	None	2022-11-30 12:58:28 UTC
Red Hat Product Errata	RHEA-2023:3686	None	None	None	2023-06-20 13:41:26 UTC

Description Yossi Segev 2022-11-30 12:45:30 UTC

Description of problem:
Deprecated gpu-operator API call


Version-Release number of selected component (if applicable):
CNV 4.11.1-92


Steps to Reproduce:
1. Run cnv-test's test_deprecated_apis_in_audit_logs


Actual results:
tests.deprecated_api.test_deprecation_audit_logs.DeprecatedAPIError: Component: gpu-operator/v0.0.0 (linux/amd64) kubernetes/$Format


Calls:
    {'kind': 'Event', 'apiVersion': 'audit.k8s.io/v1', 'level': 'Metadata', 'auditID': '580fb685-ea0c-4ea1-b62f-ddea1cd208ca', 'stage': 'ResponseComplete', 'requestURI': '/apis/policy/v1beta1/podsecuritypolicies/gpu-operator-privileged', 'verb': 'delete', 'user': {'username': 'system:serviceaccount:nvidia-gpu-operator:gpu-operator', 'uid': '6a3bd614-77d3-4110-b843-f44d4b0d2fe3', 'groups': ['system:serviceaccounts', 'system:serviceaccounts:nvidia-gpu-operator', 'system:authenticated'], 'extra': {'authentication.kubernetes.io/pod-name': ['gpu-operator-7d46cdf9d7-27zmt'], 'authentication.kubernetes.io/pod-uid': ['96991cb8-450d-42e4-be68-3ab057d2c471']}}, 'sourceIPs': ['10.9.96.81'], 'userAgent': 'gpu-operator/v0.0.0 (linux/amd64) kubernetes/$Format', 'objectRef': {'resource': 'podsecuritypolicies', 'name': 'gpu-operator-privileged', 'apiGroup': 'policy', 'apiVersion': 'v1beta1'}, 'responseStatus': {'metadata': {}, 'status': 'Failure', 'message': 'podsecuritypolicies.policy "gpu-operator-privileged" not found', 'reason': 'NotFound', 'details': {'name': 'gpu-operator-privileged', 'group': 'policy', 'kind': 'podsecuritypolicies'}, 'code': 404}, 'requestReceivedTimestamp': '2022-11-29T15:42:57.570973Z', 'stageTimestamp': '2022-11-29T15:42:57.572602Z', 'annotations': {'authorization.k8s.io/decision': 'allow', 'authorization.k8s.io/reason': 'RBAC: allowed by ClusterRoleBinding "gpu-operator-certified.v22.9.0-776d5fcf49" of ClusterRole "gpu-operator-certified.v22.9.0-776d5fcf49" to ServiceAccount "gpu-operator/nvidia-gpu-operator"', 'k8s.io/deprecated': 'true', 'k8s.io/removed-release': '1.25'}}

Comment 1 Petr Horáček 2022-12-08 10:06:47 UTC

Moving to virt since it is connected to GPU operator.

Comment 2 sgott 2022-12-14 13:31:49 UTC

Vladik, could you take a look?

Comment 4 Fabian Deutsch 2023-01-11 13:41:08 UTC

I think this is a GPU Operator bug.
It seems that the NV GPU Operator is using PodSecurityPolicies (PSP) which are now deprecated.

@fdupont thoughts?

Comment 5 Jenia Peimer 2023-02-22 12:18:40 UTC

New comment on GitHub: https://github.com/NVIDIA/gpu-operator/issues/451#issuecomment-1439914223
```
shivamerla commented 8 minutes ago
@jpeimer Yes, PSP resource creation is retained in the code for orchestrators like VMware Tanzu, but not used for OCP. The audit log seems to be generated because we are trying to delete this resource for OCP as well. Will fix this as part of 23.03 release in March.
```

Comment 6 Jenia Peimer 2023-04-05 10:32:28 UTC

New comment on GitHub: https://github.com/NVIDIA/gpu-operator/issues/451#issuecomment-1496993975
```
shivamerla commented 3 hours ago • 
@jpeimer this has been fixed with v23.3.0, please try out and re-open if you still see this issue.
https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/release-notes.html
```

Comment 8 Kedar Bidarkar 2023-05-29 13:59:50 UTC

No deprecated_apis_in_audit_logs seen in 4.13

Verified with v23.3.1

Comment 14 errata-xmlrpc 2023-06-20 13:41:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Virtualization 4.13.1 Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:3686

Comment 15 Red Hat Bugzilla 2023-10-19 04:25:07 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.