Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20042

Hypershift Audit configuration not working for Hypershift HostedCluster

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.13.0, 4.12.0, 4.14.0, 4.15
    • HyperShift
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

      This is a clone of issue OCPBUGS-13348. The following is the description of the original issue:

      Description of problem:

      Add Audit configuration for hypershift Hosted Cluster not working as expected. 

      Version-Release number of selected component (if applicable):

      # oc get clusterversions.config.openshift.io
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.13.0-0.nightly-2023-05-04-090524   True        False         15m     Cluster version is 4.13.0-0.nightly-2023-05-04-090524       

      How reproducible:

      Always

      Steps to Reproduce:

      1. Get hypershift hosted cluster detail from management cluster. 
      
      # hostedcluster=$( oc get -n clusters hostedclusters -o json | jq -r .items[].metadata.name)  
      
      2. Apply audit profile for hypershift hosted cluster. 
      # oc patch HostedCluster $hostedcluster -n clusters -p '{"spec": {"configuration": {"apiServer": {"audit": {"profile": "WriteRequestBodies"}}}}}' --type merge     
      hostedcluster.hypershift.openshift.io/85ea85757a5a14355124 patched 
      
      # oc get HostedCluster $hostedcluster -n clusters -ojson | jq .spec.configuration.apiServer.audit        
      {
        "profile": "WriteRequestBodies"
      }
      
      3. Check Pod or operator restart to apply configuration changes. 
      
      # oc get pods -l app=kube-apiserver  -n clusters-${hostedcluster}
      NAME                              READY   STATUS    RESTARTS   AGE
      kube-apiserver-7c98b66949-9z6rw   5/5     Running   0          36m
      kube-apiserver-7c98b66949-gp5rx   5/5     Running   0          36m
      kube-apiserver-7c98b66949-wmk8x   5/5     Running   0          36m
      
      # oc get pods -l app=openshift-apiserver   -n clusters-${hostedcluster}
      NAME                                  READY   STATUS    RESTARTS   AGE
      openshift-apiserver-dc4c84ff4-566z9   3/3     Running   0          29m
      openshift-apiserver-dc4c84ff4-99zq9   3/3     Running   0          29m
      openshift-apiserver-dc4c84ff4-9xdrz   3/3     Running   0          30m
      
      4. Check generated audit log.
      # NOW=$(date -u "+%s"); echo "$NOW"; echo "$NOW" > now
      1683711189
      
      # kaspod=$(oc get pods -l app=kube-apiserver -n clusters-${hostedcluster} --no-headers -o=jsonpath={.items[0].metadata.name})                                     
      
      # oc logs $kaspod -c audit-logs -n clusters-${hostedcluster} > kas-audit.log                                                                                      
      # cat kas-audit.log | grep -iE '"verb":"(get|list|watch)","user":.*(requestObject|responseObject)' | jq -c 'select (.requestReceivedTimestamp | .[0:19] + "Z" | fromdateiso8601 > '"`cat now`)" | wc -l
      0
      
      # cat kas-audit.log | grep -iE '"verb":"(create|delete|patch|update)","user":.*(requestObject|responseObject)' | jq -c 'select (.requestReceivedTimestamp | .[0:19] + "Z" | fromdateiso8601 > '"`cat now`)" | wc -l
      0  
      
      All results should not be zero
      In backend it should apply the configuration or pod/operator restart after configuration changes. 

      Actual results:

      Config changes not applied in backend.Not operator & pod restart

      Expected results:

      Configuration should applied and pod & operator should restart after config changes. 

      Additional info:

       

              agarcial@redhat.com Alberto Garcia Lamela
              openshift-crt-jira-prow OpenShift Prow Bot
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: