-
Feature Request
-
Resolution: Done
-
Minor
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
1] Proposed title of this feature request
Allow configuring a whitelist for APIRemovedInNext(EUS)ReleaseInUse
2] What is the nature and description of the request?
- Currently the APIRemovedInNext(EUS)ReleaseInUse is present in the notifications for the duration of the release
- The way it is implemented now APIRemovedInNextEUSReleaseInUse will always cover everything from APIRemovedInNextReleaseInUse, so we will always have duplicate alerts for api removed in 1.24, making APIRemovedInNextReleaseInUse rather useless (since it's already covered by APIRemovedInNextEUSReleaseInUse)
- Request for enhancement is to avoid these duplicate alerts, alert "APIRemovedInNextEUSReleaseInUse" should only be enabled when using an eus-channel (so disable APIRemovedInNextReleaseInUse). When not on an eus-channel APIRemovedInNextReleaseInUse can be enabled and APIRemovedInNextEUSReleaseInUse can be disabled.
- Can we fix the issue so that the application no longer uses the obsolete API or decide the application will automatically not use the obsolete api anymore after the upgrade, in which case it will keep triggering the alert. (comparable with this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1966410)
- In the latter case you will not be able to detect newly installed applications that also use the obsolete API, unless you keep analyzing the usage on a daily basis for the duration of that OpenShift version, which is inconvenient.
3] Why would you like this alteration? (List the business requirements here)
- To ensure all cases where obsolete API is used are detected and treated properly (either by fixing or whitelisting)
- To ensure that a cluster where no attention is needed no notifications are present (even info)
4] How would you like to achieve this? (List the functional requirements here)
- Add a configmap to allow to configure service accounts using the obsolete API to be whitelisted
- No alert is generated for whitelisted accounts using the obsolete API
- configmap has 2 lists:
- permanent: service accounts in this list will never trigger the alert
- nextrelease: service accounts in this list will no longer trigger the alert until the next release. This list is erased when Openshift is upgraded to the next minor release
5] List any affected packages or components.
- At least PrometheusRule api-usage in namespace openshift-kube-apiserver.
Basically, need to find a configurable way to filter api_server_request_total more:
apiserver_request_total{system_client!="kube-controller-manager",system_client!="cluster-policy-controller"}. At this point the service account that made the call is not available in the metric, so this may be hard to achieve.