Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-6044

Multi CLF validation failure when adding a namespace which contains "kube" or "openshift"

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this update, any namespace containing "openshift" or "kube" was classified as an infrastructure namespace. Following this update, only the following namespaces are classified as infrastructure namespaces: "default", "kube", "openshift", and namespaces starting with "openshift-" or "kube-".
      Show
      Before this update, any namespace containing "openshift" or "kube" was classified as an infrastructure namespace. Following this update, only the following namespaces are classified as infrastructure namespaces: "default", "kube", "openshift", and namespaces starting with "openshift-" or "kube-".
    • Bug Fix
    • Hide

      1) Deploy Logging Operator

      2) Creating a SA and a cluster rolebinding to deploy the multiCLF instance

      $ oc -n openshift-logging create serviceaccount vector2vector-log-forwarder
      $ oc create clusterrolebinding vector2vector-log-forwarder --clusterrole=collect-application-logs --serviceaccount openshift-logging:vector2vector-log-forwarder 

      3) Deploy a multiCLF with a namespace that contains kube or openshift:

      spec:
        inputs:
        - application:
            namespaces:
            - sample-kube-example
          name: test-input
        outputs:
        - name: test-output
          type: http
          url: https://test.com:1900
        pipelines:
        - inputRefs:
          - test-input
          name: test-pipeline
          outputRefs:
          - test-output
        serviceAccountName: vector2vector-log-forwarder
      status:
        conditions:
        - lastTransitionTime: "2024-09-09T13:59:22Z"
          reason: ValidationFailure
          status: "False"
          type: Ready
        - lastTransitionTime: "2024-09-09T13:59:22Z"
          message: insufficient permissions on service account, not authorized to collect
            ["infrastructure"] logs
          reason: ValidationFailure
          status: "True"
          type: Validation 

      4) The collector interprets from the namespace that they are infra logs so we can do the following workaround:

      $ oc create clusterrolebinding vector2vector-log-forwarder-infra --clusterrole=collect-infrastructure-logs --serviceaccount openshift-logging:vector2vector-log-forwarder
       

      5) After that, a couple of minutes later we don´t find any issues in the multiCLF

      apiVersion: logging.openshift.io/v1
      kind: ClusterLogForwarder
      metadata:
        creationTimestamp: "2024-09-09T13:59:22Z"
        generation: 2
        name: test-clf
        namespace: openshift-logging
        resourceVersion: "90685"
        uid: a2026d1c-b183-4c83-9a5f-22d09c8d9e1b
      spec:
        inputs:
        - application:
            namespaces:
            - sample-kube-example
          name: test-input
        outputs:
        - name: test-output
          type: http
          url: https://test.com:1900
        pipelines:
        - inputRefs:
          - test-input
          name: test-pipeline
          outputRefs:
          - test-output
        serviceAccountName: vector2vector-log-forwarder
      status:
        conditions:
        - lastTransitionTime: "2024-09-09T14:09:22Z"
          status: "True"
          type: Ready 
      Show
      1) Deploy Logging Operator 2) Creating a SA and a cluster rolebinding to deploy the multiCLF instance $ oc -n openshift-logging create serviceaccount vector2vector-log-forwarder $ oc create clusterrolebinding vector2vector-log-forwarder --clusterrole=collect-application-logs --serviceaccount openshift-logging:vector2vector-log-forwarder 3) Deploy a multiCLF with a namespace that contains kube or openshift: spec: inputs: - application: namespaces: - sample-kube-example name: test-input outputs: - name: test-output type: http url: https: //test.com:1900 pipelines: - inputRefs: - test-input name: test-pipeline outputRefs: - test-output serviceAccountName: vector2vector-log-forwarder status: conditions: - lastTransitionTime: "2024-09-09T13:59:22Z" reason: ValidationFailure status: "False" type: Ready - lastTransitionTime: "2024-09-09T13:59:22Z" message: insufficient permissions on service account, not authorized to collect [ "infrastructure" ] logs reason: ValidationFailure status: "True" type: Validation 4) The collector interprets from the namespace that they are infra logs so we can do the following workaround: $ oc create clusterrolebinding vector2vector-log-forwarder-infra --clusterrole=collect-infrastructure-logs --serviceaccount openshift-logging:vector2vector-log-forwarder 5) After that, a couple of minutes later we don´t find any issues in the multiCLF apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: creationTimestamp: "2024-09-09T13:59:22Z" generation: 2 name: test-clf namespace: openshift-logging resourceVersion: "90685" uid: a2026d1c-b183-4c83-9a5f-22d09c8d9e1b spec: inputs: - application: namespaces: - sample-kube-example name: test-input outputs: - name: test-output type: http url: https: //test.com:1900 pipelines: - inputRefs: - test-input name: test-pipeline outputRefs: - test-output serviceAccountName: vector2vector-log-forwarder status: conditions: - lastTransitionTime: "2024-09-09T14:09:22Z" status: "True" type: Ready
    • Log Collection - Sprint 259, Log Collection - Sprint 260, Log Collection - Sprint 262, Log Collection - Sprint 263

      Description of problem:

      When using a user namespace which contains kube or open shift in its name like:
      "sample-kube-example"
      The multi cluster log forwarder fails with the following:

      status:
        conditions:
            - lastTransitionTime: '2024-09-03T15:17:15Z'
              reason: ValidationFailure
              status: 'False'
              type: Ready
            - lastTransitionTime: '2024-09-03T15:17:15Z'
               message: >-
                     insufficient permissions on service account, not authorized to collect
                     ["infrastructure"] logs
                reason: ValidationFailure
                status: 'True'
                type: Validation
      
      

       

       

       

      Version-Release number of selected component (if applicable):

      5.9.5 running on OCP 4.14.6 on Google OSD

      How reproducible:

      add a user namespace sample-kube-example

      Apply logforwarding - cr attached

      Actual results:

      log forwarding fails with the message shown in problem description

      Expected results:

      log forwarding should work

      Additional info:

      The suspicion is that the collector tries to treat these logs as infrastructure but they are not infra logs according to the official docs:

      • infrastructure - Logs generated by infrastructure components running in the cluster and OpenShift Container Platform nodes, such as journal logs. Infrastructure components are pods that run in the openshift*kube*, or default projects.

              rh-ee-calee Calvin Lee
              rhn-support-igreen Ilan Green
              Kabir Bharti Kabir Bharti
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: