Description of problem:
Add Audit configuration for hypershift Hosted Cluster not working as expected.
Version-Release number of selected component (if applicable):
# oc get clusterversions.config.openshift.io NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.13.0-0.nightly-2023-05-04-090524 True False 15m Cluster version is 4.13.0-0.nightly-2023-05-04-090524
How reproducible:
Always
Steps to Reproduce:
1. Get hypershift hosted cluster detail from management cluster.
# hostedcluster=$( oc get -n clusters hostedclusters -o json | jq -r .items[].metadata.name)
2. Apply audit profile for hypershift hosted cluster.
# oc patch HostedCluster $hostedcluster -n clusters -p '{"spec": {"configuration": {"apiServer": {"audit": {"profile": "WriteRequestBodies"}}}}}' --type merge
hostedcluster.hypershift.openshift.io/85ea85757a5a14355124 patched
# oc get HostedCluster $hostedcluster -n clusters -ojson | jq .spec.configuration.apiServer.audit
{
"profile": "WriteRequestBodies"
}
3. Check Pod or operator restart to apply configuration changes.
# oc get pods -l app=kube-apiserver -n clusters-${hostedcluster}
NAME READY STATUS RESTARTS AGE
kube-apiserver-7c98b66949-9z6rw 5/5 Running 0 36m
kube-apiserver-7c98b66949-gp5rx 5/5 Running 0 36m
kube-apiserver-7c98b66949-wmk8x 5/5 Running 0 36m
# oc get pods -l app=openshift-apiserver -n clusters-${hostedcluster}
NAME READY STATUS RESTARTS AGE
openshift-apiserver-dc4c84ff4-566z9 3/3 Running 0 29m
openshift-apiserver-dc4c84ff4-99zq9 3/3 Running 0 29m
openshift-apiserver-dc4c84ff4-9xdrz 3/3 Running 0 30m
4. Check generated audit log.
# NOW=$(date -u "+%s"); echo "$NOW"; echo "$NOW" > now
1683711189
# kaspod=$(oc get pods -l app=kube-apiserver -n clusters-${hostedcluster} --no-headers -o=jsonpath={.items[0].metadata.name})
# oc logs $kaspod -c audit-logs -n clusters-${hostedcluster} > kas-audit.log
# cat kas-audit.log | grep -iE '"verb":"(get|list|watch)","user":.*(requestObject|responseObject)' | jq -c 'select (.requestReceivedTimestamp | .[0:19] + "Z" | fromdateiso8601 > '"`cat now`)" | wc -l
0
# cat kas-audit.log | grep -iE '"verb":"(create|delete|patch|update)","user":.*(requestObject|responseObject)' | jq -c 'select (.requestReceivedTimestamp | .[0:19] + "Z" | fromdateiso8601 > '"`cat now`)" | wc -l
0
All results should not be zero
In backend it should apply the configuration or pod/operator restart after configuration changes.
Actual results:
Config changes not applied in backend.Not operator & pod restart
Expected results:
Configuration should applied and pod & operator should restart after config changes.
Additional info:
- clones
-
OCPBUGS-13348 Hypershift Audit configuration not working for Hypershift HostedCluster
-
- Closed
-