Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-5532

Collector pods still can forward logs after removing collect-xxx-logs clusterrole from the serviceaccount.

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Bug Fix
    • Log Collection - Sprint 253, Log Collection - Sprint 254
    • Moderate

      Description of problem:

      After removing collect-xxx-logs clusterrole from the serviceaccount, clf raises below error message, but collector pods still can forward logs:

        status:
          conditions:
          - lastTransitionTime: "2024-05-15T03:22:01Z"
            reason: ValidationFailure
            status: "False"
            type: Ready
          - lastTransitionTime: "2024-05-15T03:22:01Z"
            message: insufficient permissions on service account, not authorized to collect
              ["application"] logs
            reason: ValidationFailure
            status: "True"
            type: Validation 

      Version-Release number of selected component (if applicable):

      openshift-logging/cluster-logging-rhel9-operator/images/v5.8.7-6

      How reproducible:

      Always

      Steps to Reproduce:

      1. create CLF, and add correct clusterroles to the serviceaccount:

        apiVersion: logging.openshift.io/v1
        kind: ClusterLogForwarder
        metadata:
          name: clf-46882
          namespace: e2e-test-vector-es-namespace-4257t
        spec:
          outputs:
          - elasticsearch:
              version: 6
            name: es-created-by-user
            type: elasticsearch
            url: http://elasticsearch-server.e2e-test-vector-es-namespace-4257t.svc:9200
          pipelines:
          - inputRefs:
            - infrastructure
            - audit
            - application
            name: forward-to-external-es
            outputRefs:
            - es-created-by-user
          serviceAccountName: test-clf-agrcon6e 

      2. ensure the logs are forwarded to the log store

      3. remove clusterrole collect-application-logs from the serviceaccount

      4. wait for the CLF to raise error, check the logs in log store

      Actual results:

      Collector pods still can collect and forward application logs to the log store

      Expected results:

      Collector pods should stop collecting application logs or be removed(this is the behavior we had in cluster-logging.v5.8.6)

      Additional info:

            vparfono Vitalii Parfonov
            qitang@redhat.com Qiaoling Tang
            Qiaoling Tang Qiaoling Tang
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: