gpu-operator - deprecated API 1.25 call in audit log

[jpeimer]

1. Issue or feature description

Deprecated API call in the audit log:

{'kind': 'Event', 'apiVersion': 'audit.k8s.io/v1', 'level': 'Metadata', 'auditID': '01f0ee12-92ad-45ff-b12f-4865eeab0227', 'stage': 'ResponseComplete', 'requestURI': '/apis/policy/v1beta1/podsecuritypolicies/gpu-operator-privileged', 'verb': 'delete', 'user': {'username': 'system:serviceaccount:nvidia-gpu-operator:gpu-operator', 'uid': 'bbbdfd80-8032-4f88-bf56-f84494309d05', 'groups': ['system:serviceaccounts', 'system:serviceaccounts:nvidia-gpu-operator', 'system:authenticated'], 'extra': {'authentication.kubernetes.io/pod-name': ['gpu-operator-7d46cdf9d7-rs2kb'], 'authentication.kubernetes.io/pod-uid': ['36990b54-ea61-4771-801d-0524289c6dc5']}}, 'sourceIPs': ['10.1.156.12'], 'userAgent': 'gpu-operator/v0.0.0 (linux/amd64) kubernetes/$Format', 'objectRef': {'resource': 'podsecuritypolicies', 'name': 'gpu-operator-privileged', 'apiGroup': 'policy', 'apiVersion': 'v1beta1'}, 'responseStatus': {'metadata': {}, 'status': 'Failure', 'message': 'podsecuritypolicies.policy "gpu-operator-privileged" not found', 'reason': 'NotFound', 'details': {'name': 'gpu-operator-privileged', 'group': 'policy', 'kind': 'podsecuritypolicies'}, 'code': 404}, 'requestReceivedTimestamp': '2022-11-26T01:12:58.912057Z', 'stageTimestamp': '2022-11-26T01:12:58.913672Z', 'annotations': {'authorization.k8s.io/decision': 'allow', 'authorization.k8s.io/reason': 'RBAC: allowed by ClusterRoleBinding "gpu-operator-certified.v22.9.0-776d5fcf49" of ClusterRole "gpu-operator-certified.v22.9.0-776d5fcf49" to ServiceAccount "gpu-operator/nvidia-gpu-operator"', 'k8s.io/deprecated': 'true', 'k8s.io/removed-release': '1.25'}}

$ kubectl get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.16   True        False         2d6h    Cluster version is 4.11.16

$ kubectl get csv -n nvidia-gpu-operator
NAME                             DISPLAY                                          VERSION    REPLACES                         PHASE
gpu-operator-certified.v22.9.0   NVIDIA GPU Operator                              22.9.0     gpu-operator-certified.v1.11.1   Succeeded
jaeger-operator.v1.38.0-2        Red Hat OpenShift distributed tracing platform   1.38.0-2   jaeger-operator.v1.36.0-2        Succeeded
kiali-operator.v1.57.3           Kiali Operator                                   1.57.3     kiali-operator.v1.48.3           Succeeded
servicemeshoperator.v2.3.0       Red Hat OpenShift Service Mesh                   2.3.0-0    servicemeshoperator.v2.2.3       Succeeded

2. Steps to reproduce the issue

1. Get audit logs:
   kubectl adm node-logs --role=master --path=kube-apiserver
2. Look for deprecated calls in each log, for example:
   kubectl adm node-logs cnv-qe-infra-21.cnvqe2.lab.eng.rdu2.redhat.com --path=kube-apiserver/audit-2022-06-16T19-22-41.798.log | grep '"k8s.io/deprecated":"true"'

[shivamerla]

@jpeimer Yes, PSP resource creation is retained in the code for orchestrators like VMware Tanzu, but not used for OCP. The audit log seems to be generated because we are trying to delete this resource for OCP as well. Will fix this as part of 23.03 release in March.

[jpeimer]

Thanks, @shivamerla

[shivamerla]

@jpeimer this has been fixed with v23.3.0, please try out and re-open if you still see this issue.