Runtime enable of Kubernetes audit fails

Bug #1972756 reported by Bin Qian
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Jorge Saffe

Bug Description

Brief Description

Enabling Kubernetes audit at runtime using "audit-policy-file" service parameter fails.

Severity

Critical: System/Feature is not usable after the defect.

Steps to Reproduce

Execute the following commands:
system service-parameter-add kubernetes kube_apiserver audit-policy-file=/etc/kubernetes/default-audit-policy.yaml
system service-parameter-apply kubernetes

Expected Behavior

The Kubernetes audit feature should be enabled with no errors.

Actual Behavior

The command "system service-parameter-apply kubernetes" fails with error "'exceptions.OSError' object has no attribute 'returncode'".

Reproducibility

100% Reproducible

System Configuration

AIO-DX

Log:
sysinv 2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter [-] [Errno 13] Permission denied: OSError: [Errno 13] Permission denied
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter Traceback (most recent call last):
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib64/python2.7/site-packages/sysinv/api/controllers/v1/service_parameter.py", line 757, in _service_parameter_apply_semantic_check_kubernetes
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter subprocess.check_call(cmd, stdout=f) # pylint: disable=not-callable
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib64/python2.7/subprocess.py", line 537, in check_call
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter retcode = call(*popenargs, **kwargs)
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib64/python2.7/subprocess.py", line 524, in call
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter return Popen(*popenargs, **kwargs).wait()
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib/python2.7/site-packages/eventlet/green/subprocess.py", line 58, in __init__
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter subprocess_orig.Popen.__init__(self, args, 0, *argss, **kwds)
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter errread, errwrite)
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib64/python2.7/subprocess.py", line 1327, in _execute_child
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter raise child_exception
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter OSError: [Errno 13] Permission denied
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter
sysinv 2022-05-06 09:01:28.195 116736 ERROR wsme.api [-] Server-side error: "'exceptions.OSError' object has no attribute 'returncode'". Detail:
Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/wsmeext/pecan.py", line 85, in callfunction
    result = f(self, *args, **kwargs) File "/usr/lib64/python2.7/site-packages/sysinv/api/controllers/v1/service_parameter.py", line 830, in apply
    self._service_parameter_apply_semantic_check(service) File "/usr/lib64/python2.7/site-packages/sysinv/api/controllers/v1/service_parameter.py", line 810, in _service_parameter_apply_semantic_check
    self._service_parameter_apply_semantic_check_kubernetes() File "/usr/lib64/python2.7/site-packages/sysinv/api/controllers/v1/service_parameter.py", line 760, in _service_parameter_apply_semantic_check_kubernetes
    raise exception.KubeCmdFailed(rc=e.returncode, command=' '.join(cmd))AttributeError: 'exceptions.OSError' object has no attribute 'returncode'

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/841659
Committed: https://opendev.org/starlingx/config/commit/065b704b726a286060e8ae1a92bb1a72d533e0e7
Submitter: "Zuul (22348)"
Branch: master

commit 065b704b726a286060e8ae1a92bb1a72d533e0e7
Author: Jorge Saffe <email address hidden>
Date: Thu May 12 20:29:59 2022 -0400

    Fix error on runtime enable of Kubernetes audit

    Enabling Kubernetes auditing at runtime using "audit-policy-file"
    service parameter fails when trying to verify cluster
    configuration for a valid audit policy file.

    A call to kubectl command and the use of temporary files to
    store the the current configmap has been replaced with a
    direct call to sysinv API.

    This commit fixes:
    * Permissions issues (OSError: [Errno 13] Permission denied)
    * Exception code returns

    Test Plan:
    * CENTOS distro:
      - Fresh Install with AIO-SX.
      - Add audit-policy-file
      - Apply changes (system service-parameter-apply kubernetes)

    Closes-Bug: 1972756
    Signed-off-by: Jorge Saffe <email address hidden>
    Change-Id: I4cdcc2a70bb253794de00e7d670205d8112e470e

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.7.0 stx.config
Changed in starlingx:
assignee: nobody → Jorge Saffe (jsaffe)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.