Brief Description
Enabling Kubernetes audit at runtime using "audit-policy-file" service parameter fails.
Severity
Critical: System/Feature is not usable after the defect.
Steps to Reproduce
Execute the following commands:
system service-parameter-add kubernetes kube_apiserver audit-policy-file=/etc/kubernetes/default-audit-policy.yaml
system service-parameter-apply kubernetes
Expected Behavior
The Kubernetes audit feature should be enabled with no errors.
Actual Behavior
The command "system service-parameter-apply kubernetes" fails with error "'exceptions.OSError' object has no attribute 'returncode'".
Reproducibility
100% Reproducible
System Configuration
AIO-DX
Log:
sysinv 2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter [-] [Errno 13] Permission denied: OSError: [Errno 13] Permission denied
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter Traceback (most recent call last):
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib64/python2.7/site-packages/sysinv/api/controllers/v1/service_parameter.py", line 757, in _service_parameter_apply_semantic_check_kubernetes
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter subprocess.check_call(cmd, stdout=f) # pylint: disable=not-callable
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib64/python2.7/subprocess.py", line 537, in check_call
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter retcode = call(*popenargs, **kwargs)
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib64/python2.7/subprocess.py", line 524, in call
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter return Popen(*popenargs, **kwargs).wait()
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib/python2.7/site-packages/eventlet/green/subprocess.py", line 58, in __init__
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter subprocess_orig.Popen.__init__(self, args, 0, *argss, **kwds)
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter errread, errwrite)
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter File "/usr/lib64/python2.7/subprocess.py", line 1327, in _execute_child
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter raise child_exception
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter OSError: [Errno 13] Permission denied
2022-05-06 09:01:28.178 116736 ERROR sysinv.api.controllers.v1.service_parameter
sysinv 2022-05-06 09:01:28.195 116736 ERROR wsme.api [-] Server-side error: "'exceptions.OSError' object has no attribute 'returncode'". Detail:
Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/wsmeext/pecan.py", line 85, in callfunction
result = f(self, *args, **kwargs) File "/usr/lib64/python2.7/site-packages/sysinv/api/controllers/v1/service_parameter.py", line 830, in apply
self._service_parameter_apply_semantic_check(service) File "/usr/lib64/python2.7/site-packages/sysinv/api/controllers/v1/service_parameter.py", line 810, in _service_parameter_apply_semantic_check
self._service_parameter_apply_semantic_check_kubernetes() File "/usr/lib64/python2.7/site-packages/sysinv/api/controllers/v1/service_parameter.py", line 760, in _service_parameter_apply_semantic_check_kubernetes
raise exception.KubeCmdFailed(rc=e.returncode, command=' '.join(cmd))AttributeError: 'exceptions.OSError' object has no attribute 'returncode'
Reviewed: https:/ /review. opendev. org/c/starlingx /config/ +/841659 /opendev. org/starlingx/ config/ commit/ 065b704b726a286 060e8ae1a92bb1a 72d533e0e7
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 065b704b726a286 060e8ae1a92bb1a 72d533e0e7
Author: Jorge Saffe <email address hidden>
Date: Thu May 12 20:29:59 2022 -0400
Fix error on runtime enable of Kubernetes audit
Enabling Kubernetes auditing at runtime using "audit-policy-file"
service parameter fails when trying to verify cluster
configuration for a valid audit policy file.
A call to kubectl command and the use of temporary files to
store the the current configmap has been replaced with a
direct call to sysinv API.
This commit fixes:
* Permissions issues (OSError: [Errno 13] Permission denied)
* Exception code returns
Test Plan: parameter- apply kubernetes)
* CENTOS distro:
- Fresh Install with AIO-SX.
- Add audit-policy-file
- Apply changes (system service-
Closes-Bug: 1972756 794de00e7d67020 5d8112e470e
Signed-off-by: Jorge Saffe <email address hidden>
Change-Id: I4cdcc2a70bb253