-
Bug
-
Resolution: Done
-
Critical
-
Logging 5.8.z
-
False
-
None
-
False
-
NEW
-
NEW
-
Bug Fix
-
-
-
Log Collection - Sprint 253, Log Collection - Sprint 254
-
Moderate
Description of problem:
After removing collect-xxx-logs clusterrole from the serviceaccount, clf raises below error message, but collector pods still can forward logs:
status: conditions: - lastTransitionTime: "2024-05-15T03:22:01Z" reason: ValidationFailure status: "False" type: Ready - lastTransitionTime: "2024-05-15T03:22:01Z" message: insufficient permissions on service account, not authorized to collect ["application"] logs reason: ValidationFailure status: "True" type: Validation
Version-Release number of selected component (if applicable):
openshift-logging/cluster-logging-rhel9-operator/images/v5.8.7-6
How reproducible:
Always
Steps to Reproduce:
1. create CLF, and add correct clusterroles to the serviceaccount:
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: clf-46882
namespace: e2e-test-vector-es-namespace-4257t
spec:
outputs:
- elasticsearch:
version: 6
name: es-created-by-user
type: elasticsearch
url: http://elasticsearch-server.e2e-test-vector-es-namespace-4257t.svc:9200
pipelines:
- inputRefs:
- infrastructure
- audit
- application
name: forward-to-external-es
outputRefs:
- es-created-by-user
serviceAccountName: test-clf-agrcon6e
2. ensure the logs are forwarded to the log store
3. remove clusterrole collect-application-logs from the serviceaccount
4. wait for the CLF to raise error, check the logs in log store
Actual results:
Collector pods still can collect and forward application logs to the log store
Expected results:
Collector pods should stop collecting application logs or be removed(this is the behavior we had in cluster-logging.v5.8.6)
Additional info:
- links to
- mentioned on
