Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16381

No audit logs are captured for project deletion in production and customer is looking for a RCA

    XMLWordPrintable

Details

    • Critical
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      - 'XYZ' project is deleted in the production of one of the biggest bank in India.
- Customer shared audit logs after the event and there is no entry for `XYZ` project deletion.
- But we do have multiple verb `deletecollection` action by `system:serviceaccount:kube-system:namespace-controller` which is expected when we delete any project at the same time.
- Only log with verb `delete` with username and project name is missing in audit logs. 
- For testing purpose we do craeted test project and deleted it in customers cluster and again collected the audit logs, In this scnario audit logs are properly captued the username who deleted test project.
- Now customer needs a RCA who deleted this project.
- This project deletion affected many workloads in production cluster with almost 195 nodes.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

       

      Expected results:

       

      Additional info:

      Customer case: https://access.redhat.com/support/cases/#/case/03558131

      Attachments

        Activity

          People

            vdinh@redhat.com Vu Dinh
            rhn-support-mdeore Mayur Deore
            Rahul Gangwar Rahul Gangwar
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: