Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16381

No audit logs are captured for project deletion in production and customer is looking for a RCA

XMLWordPrintable

    • Critical
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      - 'XYZ' project is deleted in the production of one of the biggest bank in India.
- Customer shared audit logs after the event and there is no entry for `XYZ` project deletion.
- But we do have multiple verb `deletecollection` action by `system:serviceaccount:kube-system:namespace-controller` which is expected when we delete any project at the same time.
- Only log with verb `delete` with username and project name is missing in audit logs. 
- For testing purpose we do craeted test project and deleted it in customers cluster and again collected the audit logs, In this scnario audit logs are properly captued the username who deleted test project.
- Now customer needs a RCA who deleted this project.
- This project deletion affected many workloads in production cluster with almost 195 nodes.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

       

      Expected results:

       

      Additional info:

      Customer case: https://access.redhat.com/support/cases/#/case/03558131

              vdinh@redhat.com Vu Dinh
              rhn-support-mdeore Mayur Deore
              Rahul Gangwar Rahul Gangwar
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: