-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
-
NEW
-
NEW
-
0
From a 4.12.0-ec.4 CI run:
$ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.12-e2e-aws-sdn-serial/1578535371610787840/artifacts/e2e-aws-sdn-serial/gather-must-gather/artifacts/must-gather.tar | tar xOz quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-c7f5e32ff38c7a4616d6e9357fb0381c715f11b5a4f454424ea708be17072aad/namespaces/openshift-monitoring/core/secrets.yaml | yaml2json | jq -r '.items[].metadata | select(.name == "metrics-client-certs")'
{
"creationTimestamp": "2022-10-08T00:16:01Z",
"managedFields": [
{
"apiVersion": "v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:data": {
".": {},
"f:tls.crt": {},
"f:tls.key": {}
},
"f:type": {}
},
"manager": "operator",
"operation": "Update",
"time": "2022-10-08T00:16:01Z"
}
],
"name": "metrics-client-certs",
"namespace": "openshift-monitoring",
"resourceVersion": "7786",
"uid": "9eae6505-a93a-4ab0-a1b4-b59a9a72aab3"
}
And from that run's audit logs:
$ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/periodic-ci-openshift-release-master-nightly-4.12-e2e-aws-sdn-serial/1578535371610787840/artifacts/e2e-aws-sdn-serial/gather-audit-logs/artifacts/audit-logs.tar | tar xz --strip-components=2
$ zgrep -h secrets kube-apiserver/*.log.gz | jq -r .verb | sort | uniq -c
parse error: Invalid numeric literal at line 13306, column 6
48 create
301 delete
6187 get
595 list
622 update
5552 watch
$ zgrep -h '"verb":"create".*"resource":"secrets","namespace":"openshift-monitoring"' kube-apiserver/*.log.gz | jq -r '.stageTimestamp + " " + (.responseStatus.code | tostring) + " " + .user.username' | sort | head -n2
2022-10-08T00:28:33.146347Z 201 system:serviceaccount:openshift-infra:serviceaccount-pull-secrets-controller
2022-10-08T00:28:33.173866Z 201 system:serviceaccount:openshift-infra:serviceaccount-pull-secrets-controller
So unfortunately this particular Secret predates the audit logs, and was presumably created on the bootstrap machine by operator (whoever that was). It would be nice if the Secret set ownerReferences (like my ask for Prometheus ownerReferences in MON-1634), so it was easier to use generic-kube knowledge to understand who creates and manages the Secret.