StarlingX

Bootstrap is failing when using a custom audit-policy-file

Bug #1972032 reported by João Victor Portal on 2022-05-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	João Victor Portal

Bug Description

Brief Description
-----------------
Ansible bootstrap is failing when it's used a custom audit-policy-file.

Severity
--------
Critical: System/Feature is not usable after the defect.

Steps to Reproduce
------------------
1) Define custom audit-policy-file in bootstrap overrides yaml file:

apiserver_extra_args:
audit-policy-file: "/etc/kubernetes/my-audit-policy-file.yml"

apiserver_extra_volumes:
    - name: my-audit-policy-file
      mountPath: "/etc/kubernetes/my-audit-policy-file.yml"
      pathType: "File"
      readOnly: true
      content: |
        # Log all requests at the Metadata level.
        apiVersion: audit.k8s.io/v1
        kind: Policy
        rules:
        - level: Metadata

2) Run bootstrap, it will fail.

Expected Behavior
------------------
Bootstrapping execution completed successfully.

Actual Behavior
----------------
Ansible bootstrapping is failing.

Reproducibility
---------------
100% Reproducible.

System Configuration
--------------------
AIO-DX

Branch/Pull Time/Commit
-----------------------
N/A.

Last Pass
---------
N/A.

Timestamp/Logs
--------------
N/A.

Test Activity
-------------
Feature Testing

Workaround
----------
N/A.

Tags:

João Victor Portal (jvictorp) on 2022-05-06

Changed in starlingx:
assignee:	nobody → João Victor Portal (jvictorp)

OpenStack Infra (hudson-openstack) on 2022-05-06

Changed in starlingx:
status:	New → In Progress

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2022-05-06:

screening: stx.7.0 / medium - related to new feature: https://storyboard.openstack.org/#!/story/2009835

Changed in starlingx:
importance:	Undecided → Medium
tags:	added: stx.7.0 stx.config

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-26: Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/840927
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/bb2a6441aa959d560799e684f8a3439b55f35ec3
Submitter: "Zuul (22348)"
Branch: master

commit bb2a6441aa959d560799e684f8a3439b55f35ec3
Author: Joao Victor Portal <email address hidden>
Date: Fri May 6 12:38:54 2022 -0300

Fix custom audit-policy-file mount

Custom audit policy files defined in bootstrap YAML overrides are
being mounted twice. This is corrected in this change.

Test Plan:

    PASS: Successfully deploy an AIO-SX using an image with this commit
    present, with the bootstrap YAML overrides containing a custom audit
    policy file defined in "apiserver_extra_volumes" list and pointed by
    "audit-policy-file" in "apiserver_extra_args" dict.
    PASS: In the deployed AIO-SX, verify that the Kubernetes audit log is
    enabled and working correctly.

    Closes-Bug: 1972032
    Signed-off-by: Joao Victor Portal <email address hidden>
    Change-Id: Ie5faeb614f24c6caabe307fbffcd82136df0a1a0

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.