Red Hat Single Sign-On operator using deprecated API in OpenShift 4

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4.10
    • 4.11
    • 4.12
  • Red Hat Single Sign-On (RH-SSO)
    • 7
  • Deprecated poddisruptionbudgets.v1beta1.policy and cronjobs.v1beta1.batch API

Issue

  • After upgrading to RHOCP 4.10, the cluster is raising alerts about deprecated API calls by rhsso-operator

       -> endpoint 'cronjobs.v1beta1.batch' is deprecated in version '1.25'
       -> # of calls: 5 (last 1h), 185 (last 24h)
       -> it was called by the following callers in last 24h:
            -> system:serviceaccount:cip-rhsso-common:rhsso-operator

  -> endpoint 'poddisruptionbudgets.v1beta1.policy' is deprecated in version '1.25'
       -> # of calls: 5 (last 1h), 350 (last 24h)
       -> it was called by the following callers in last 24h:
            -> system:serviceaccount:cip-rhsso-common:rhsso-operator

Resolution

The PodDisruptionBudget API has been deprecated from the Keycloak Custom Resource. The RH SSO Operator 7.6 has been already patched to reflect that. The way it works is that it uses the deprecated API when available (OCP 4.11 and older) which triggers the alerts. When the API is missing in the cluster (OCP 4.12 and newer), it will be simply ignored as if it weren't specified.

The policy/v1beta1 is related to the PodDisruptionBudget which the operator has a fix for. The operator does not actually use the batch/v1beta API despite the alerts.

It has been confirmed that no deprecated API issues happened with the RH SSO 7.6 Operator in OpenShift 4.12.

Please refer to the related release notes as well as the upgrading guide with a workaround.

Root Cause

The poddisruptionbudgets.v1beta1.policy and cronjobs.v1beta1.batch APIs are removed in OpenShift 4.12 as explained in Preparing to upgrade to OpenShift Container Platform 4.12, and RH-SSO was still using them.

RH-SSO operator 7.6 has already included a fix to not use this APIs when not available. When the APIs are missing in the cluster (in OpenShift 4.12 and newer versions), it will be simply ignored.

Diagnostic Steps

  • Run the following command and examine the REMOVEDINRELEASE column of the output to identify APIs that will be removed in a future release but are currently in use:

    $ oc get apirequestcounts

  • Also use -o jsonpath to filter the results:

    $ oc get apirequestcounts -o jsonpath='{range .items[?(@.status.removedInRelease!="")]}{.status.removedInRelease}{"\t"}{.status.requestCount}{"\t"}{.metadata.name}{"\n"}{end}'
SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.