Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-6044

Multi CLF validation failure when adding a namespace which contains "kube" or "openshift"

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this update, any namespace containing "openshift" or "kube" was classified as an infrastructure namespace. Following this update, only the following namespaces are classified as infrastructure namespaces: "default", "kube", "openshift", and namespaces starting with "openshift-" or "kube-".
      Show
      Before this update, any namespace containing "openshift" or "kube" was classified as an infrastructure namespace. Following this update, only the following namespaces are classified as infrastructure namespaces: "default", "kube", "openshift", and namespaces starting with "openshift-" or "kube-".
    • Bug Fix
    • Hide

      1) Deploy Logging Operator

      2) Creating a SA and a cluster rolebinding to deploy the multiCLF instance

      $ oc -n openshift-logging create serviceaccount vector2vector-log-forwarder
$ oc create clusterrolebinding vector2vector-log-forwarder --clusterrole=collect-application-logs --serviceaccount openshift-logging:vector2vector-log-forwarder

      3) Deploy a multiCLF with a namespace that contains kube or openshift:

      spec:
  inputs:
  - application:
      namespaces:
      - sample-kube-example
    name: test-input
  outputs:
  - name: test-output
    type: http
    url: https://test.com:1900
  pipelines:
  - inputRefs:
    - test-input
    name: test-pipeline
    outputRefs:
    - test-output
  serviceAccountName: vector2vector-log-forwarder
status:
  conditions:
  - lastTransitionTime: "2024-09-09T13:59:22Z"
    reason: ValidationFailure
    status: "False"
    type: Ready
  - lastTransitionTime: "2024-09-09T13:59:22Z"
    message: insufficient permissions on service account, not authorized to collect
      ["infrastructure"] logs
    reason: ValidationFailure
    status: "True"
    type: Validation

      4) The collector interprets from the namespace that they are infra logs so we can do the following workaround:

      $ oc create clusterrolebinding vector2vector-log-forwarder-infra --clusterrole=collect-infrastructure-logs --serviceaccount openshift-logging:vector2vector-log-forwarder

      5) After that, a couple of minutes later we don´t find any issues in the multiCLF

      apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  creationTimestamp: "2024-09-09T13:59:22Z"
  generation: 2
  name: test-clf
  namespace: openshift-logging
  resourceVersion: "90685"
  uid: a2026d1c-b183-4c83-9a5f-22d09c8d9e1b
spec:
  inputs:
  - application:
      namespaces:
      - sample-kube-example
    name: test-input
  outputs:
  - name: test-output
    type: http
    url: https://test.com:1900
  pipelines:
  - inputRefs:
    - test-input
    name: test-pipeline
    outputRefs:
    - test-output
  serviceAccountName: vector2vector-log-forwarder
status:
  conditions:
  - lastTransitionTime: "2024-09-09T14:09:22Z"
    status: "True"
    type: Ready
      Show
      1) Deploy Logging Operator 2) Creating a SA and a cluster rolebinding to deploy the multiCLF instance $ oc -n openshift-logging create serviceaccount vector2vector-log-forwarder $ oc create clusterrolebinding vector2vector-log-forwarder --clusterrole=collect-application-logs --serviceaccount openshift-logging:vector2vector-log-forwarder 3) Deploy a multiCLF with a namespace that contains kube or openshift: spec: inputs: - application: namespaces: - sample-kube-example name: test-input outputs: - name: test-output type: http url: https: //test.com:1900 pipelines: - inputRefs: - test-input name: test-pipeline outputRefs: - test-output serviceAccountName: vector2vector-log-forwarder status: conditions: - lastTransitionTime: "2024-09-09T13:59:22Z" reason: ValidationFailure status: "False" type: Ready - lastTransitionTime: "2024-09-09T13:59:22Z" message: insufficient permissions on service account, not authorized to collect [ "infrastructure" ] logs reason: ValidationFailure status: "True" type: Validation 4) The collector interprets from the namespace that they are infra logs so we can do the following workaround: $ oc create clusterrolebinding vector2vector-log-forwarder-infra --clusterrole=collect-infrastructure-logs --serviceaccount openshift-logging:vector2vector-log-forwarder 5) After that, a couple of minutes later we don´t find any issues in the multiCLF apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: creationTimestamp: "2024-09-09T13:59:22Z" generation: 2 name: test-clf namespace: openshift-logging resourceVersion: "90685" uid: a2026d1c-b183-4c83-9a5f-22d09c8d9e1b spec: inputs: - application: namespaces: - sample-kube-example name: test-input outputs: - name: test-output type: http url: https: //test.com:1900 pipelines: - inputRefs: - test-input name: test-pipeline outputRefs: - test-output serviceAccountName: vector2vector-log-forwarder status: conditions: - lastTransitionTime: "2024-09-09T14:09:22Z" status: "True" type: Ready
    • Log Collection - Sprint 259, Log Collection - Sprint 260, Log Collection - Sprint 262

      Description of problem:

      When using a user namespace which contains kube or open shift in its name like:
      "sample-kube-example"
      The multi cluster log forwarder fails with the following:

      status:
  conditions:
      - lastTransitionTime: '2024-09-03T15:17:15Z'
        reason: ValidationFailure
        status: 'False'
        type: Ready
      - lastTransitionTime: '2024-09-03T15:17:15Z'
         message: >-
               insufficient permissions on service account, not authorized to collect
               ["infrastructure"] logs
          reason: ValidationFailure
          status: 'True'
          type: Validation

       

       

       

      Version-Release number of selected component (if applicable):

      5.9.5 running on OCP 4.14.6 on Google OSD

      How reproducible:

      add a user namespace sample-kube-example

      Apply logforwarding - cr attached

      Actual results:

      log forwarding fails with the message shown in problem description

      Expected results:

      log forwarding should work

      Additional info:

      The suspicion is that the collector tries to treat these logs as infrastructure but they are not infra logs according to the official docs:

      • infrastructure - Logs generated by infrastructure components running in the cluster and OpenShift Container Platform nodes, such as journal logs. Infrastructure components are pods that run in the openshift*kube*, or default projects.

        1. cl-csv.yml
          36 kB

              rh-ee-calee Calvin Lee
              rhn-support-igreen Ilan Green
              Anping Li Anping Li
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: