Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13348

Hypershift Audit configuration not working for Hypershift HostedCluster

XMLWordPrintable

    • No
    • Hypershift Sprint 237, Hypershift Sprint 238, Hypershift Sprint 239, Hypershift Sprint 240, Hypershift Sprint 241, Hypershift Sprint 242, Hypershift Sprint 243
    • 7
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, you could not update the default configuration for audit logs in a hosted cluster. Therefore, components of a hosted cluster could not generate audit logs. With this update, you can generate audit logs for components of a hosted cluster by updating the default configuration. (link:https://issues.redhat.com/browse/OCPBUGS-13348[*OCPBUGS-13348*])
      Show
      * Previously, you could not update the default configuration for audit logs in a hosted cluster. Therefore, components of a hosted cluster could not generate audit logs. With this update, you can generate audit logs for components of a hosted cluster by updating the default configuration. (link: https://issues.redhat.com/browse/OCPBUGS-13348 [* OCPBUGS-13348 *])
    • Bug Fix
    • Done

      Description of problem:

      Add Audit configuration for hypershift Hosted Cluster not working as expected. 

      Version-Release number of selected component (if applicable):

      # oc get clusterversions.config.openshift.io
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.13.0-0.nightly-2023-05-04-090524   True        False         15m     Cluster version is 4.13.0-0.nightly-2023-05-04-090524       

      How reproducible:

      Always

      Steps to Reproduce:

      1. Get hypershift hosted cluster detail from management cluster. 
      
      # hostedcluster=$( oc get -n clusters hostedclusters -o json | jq -r .items[].metadata.name)  
      
      2. Apply audit profile for hypershift hosted cluster. 
      # oc patch HostedCluster $hostedcluster -n clusters -p '{"spec": {"configuration": {"apiServer": {"audit": {"profile": "WriteRequestBodies"}}}}}' --type merge     
      hostedcluster.hypershift.openshift.io/85ea85757a5a14355124 patched 
      
      # oc get HostedCluster $hostedcluster -n clusters -ojson | jq .spec.configuration.apiServer.audit        
      {
        "profile": "WriteRequestBodies"
      }
      
      3. Check Pod or operator restart to apply configuration changes. 
      
      # oc get pods -l app=kube-apiserver  -n clusters-${hostedcluster}
      NAME                              READY   STATUS    RESTARTS   AGE
      kube-apiserver-7c98b66949-9z6rw   5/5     Running   0          36m
      kube-apiserver-7c98b66949-gp5rx   5/5     Running   0          36m
      kube-apiserver-7c98b66949-wmk8x   5/5     Running   0          36m
      
      # oc get pods -l app=openshift-apiserver   -n clusters-${hostedcluster}
      NAME                                  READY   STATUS    RESTARTS   AGE
      openshift-apiserver-dc4c84ff4-566z9   3/3     Running   0          29m
      openshift-apiserver-dc4c84ff4-99zq9   3/3     Running   0          29m
      openshift-apiserver-dc4c84ff4-9xdrz   3/3     Running   0          30m
      
      4. Check generated audit log.
      # NOW=$(date -u "+%s"); echo "$NOW"; echo "$NOW" > now
      1683711189
      
      # kaspod=$(oc get pods -l app=kube-apiserver -n clusters-${hostedcluster} --no-headers -o=jsonpath={.items[0].metadata.name})                                     
      
      # oc logs $kaspod -c audit-logs -n clusters-${hostedcluster} > kas-audit.log                                                                                      
      # cat kas-audit.log | grep -iE '"verb":"(get|list|watch)","user":.*(requestObject|responseObject)' | jq -c 'select (.requestReceivedTimestamp | .[0:19] + "Z" | fromdateiso8601 > '"`cat now`)" | wc -l
      0
      
      # cat kas-audit.log | grep -iE '"verb":"(create|delete|patch|update)","user":.*(requestObject|responseObject)' | jq -c 'select (.requestReceivedTimestamp | .[0:19] + "Z" | fromdateiso8601 > '"`cat now`)" | wc -l
      0  
      
      All results should not be zero
      In backend it should apply the configuration or pod/operator restart after configuration changes. 

      Actual results:

      Config changes not applied in backend.Not operator & pod restart

      Expected results:

      Configuration should applied and pod & operator should restart after config changes. 

      Additional info:

       

              imain@redhat.com Ian Main (Inactive)
              rhn-support-dpunia Deepak Punia (Inactive)
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: