Closed openshift-cherrypick-robot closed 1 day ago
@openshift-cherrypick-robot: Jira Issue OCPBUGS-43655 has been cloned as Jira Issue OCPBUGS-43657. Will retitle bug to link to clone. /retitle [release-4.17] OCPBUGS-43657: audit: do not log requests to /livez
@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-43657, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
/jira-refresh
/jira refresh
@p0lyn0mial: This pull request references Jira Issue OCPBUGS-43657, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
@openshift-cherrypick-robot: all tests passed!
Full PR test history. Your PR dashboard.
@p0lyn0mial I tried to launch one cluster with this pr by clusterbot, checked the audit log files, still can see livez
requests.
$ masters=$(oc get no -l node-role.kubernetes.io/master | sed '1d' | awk '{print $1}')
$for node in $masters; do echo $node;oc debug no/$node -- chroot /host bash -c "grep -nr 'requestURI\":\"/livez' /var/log/*apiserver | grep -v chroot";done
<-- snipped logs -->
/var/log/kube-apiserver/audit.log:12742:{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"ccc55dbb-f7b4-4786-a9e6-b2520ea93323","stage":"ResponseComplete","requestURI":"/livez?exclude=etcd","verb":"get","user":{"username":"system:anonymous","groups":["system:unauthenticated"]},"sourceIPs":["xx.xx.xx.xx"],"userAgent":"kube-probe/1.30","responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2024-10-23T04:42:58.524556Z","stageTimestamp":"2024-10-23T04:42:58.524811Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:public-info-viewer\" of ClusterRole \"system:public-info-viewer\" to Group \"system:unauthenticated\""}}
...
/var/log/openshift-apiserver/audit.log:4018:{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"308fcf7e-6b3b-44f1-9cb9-bb5aa32e9b5a","stage":"ResponseComplete","requestURI":"/livez?exclude=etcd","verb":"get","user":{"username":"system:anonymous","groups":["system:unauthenticated"]},"sourceIPs":["xx.xx.xx.xx"],"userAgent":"kube-probe/1.30","responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2024-10-23T04:51:08.238714Z","stageTimestamp":"2024-10-23T04:51:08.238922Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
...
/var/log/oauth-apiserver/audit.log:1023:{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"3acfff30-d750-467f-b8fc-67d2ec81e483","stage":"ResponseComplete","requestURI":"/livez?exclude=etcd","verb":"get","user":{"username":"system:anonymous","groups":["system:unauthenticated"]},"sourceIPs":["xx.xx.xx.xx"],"userAgent":"kube-probe/1.30","responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2024-10-23T04:30:47.853434Z","stageTimestamp":"2024-10-23T04:30:47.853623Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
Also need back-port other PRs.
/jira refresh
@p0lyn0mial: This pull request references Jira Issue OCPBUGS-43657, which is valid. The bug has been moved to the POST state.
Requesting review from QA contact: /cc @wangke19
/approve
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: openshift-cherrypick-robot, p0lyn0mial, vrutkovs
The full list of commands accepted by this bot can be found here.
The pull request process is described here
@openshift-cherrypick-robot: Jira Issue OCPBUGS-43657: All pull requests linked via external trackers have merged:
Jira Issue OCPBUGS-43657 has been moved to the MODIFIED state.
This is an automated cherry-pick of #1819
/assign p0lyn0mial