This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

What's calling an API

Posted on 06-15-2022 06:30 AM
jedihomer
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Is there a way to work out what's calling an API?

All our GKE clusters are now not auto upgrading as they are using deprecated APIs.  In our case, all are calling

/apis/rbac.authorization.k8s.io/v1beta1/roles

At around 03:50 in the morning.   So this is some sort of automated system that must be calling them.  I've inherited the clusters/projects so didn't set them up, but we're mainly using just deployments/configmaps/secrets/ingres.  All the manifests are up-to-date  and don't reference and roles etc.

Deployments are done, usually during the day, via Helm or Kubectl, as the timings don't match up, I don't believe this culprit.

So then we're left with the kube-system namespace, which I assumed (possibly wrongly) is managed by GKE so cluster upgrades etc would keep these up-to-date.

So where should I be looking to find out what's calling this API so that it can be either upgraded, stopped or some other remedy so that we can continue upgrading the clusters etc.

Any help would be apreciated.

Solved Solved
2 3 1,024
Topic Labels
Jump to Solution
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jedihomer
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

As an update, they've all stopped reporting the API call, so I assume it was an internal Google thing that's since auto-updated to the new endpoints

View solution in original post

Jump to Solution
Reply
3 REPLIES 3

Posted on --/--/---- --:-- AM
cristianrm
Staff
Reply posted on --/--/---- --:-- AM

As shown in the documentation Locating API clients writing to deprecated APIs:

Clusters with Google Cloud's operations suite enabled can use the following Admin Activity log query to show the use of 1.22 deprecated APIs by users that are not Google-managed:
resource.type="k8s_cluster"
labels."k8s.io/removed-release"="1.22"
protoPayload.authenticationInfo.principalEmail:("system:serviceaccount" OR "@")
protoPayload.authenticationInfo.principalEmail!~("system:serviceaccount:kube-system:")
Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
jedihomer
Bronze 1
Bronze 1
In response to cristianrm
Reply posted on --/--/---- --:-- AM

Ah, I'd meant to put in the initial post;  The cluster page shows:

APITotal calls (last 30 days)Last called

/apis/rbac.authorization.k8s.io/v1beta1/roles128

23 Jun 2022, 00:41:00

And running that Activity Log filter returns no responses (currently set to look back 7 days)

In the end I just upgraded staging to 1.22 and am ensuring that it all still seems to work before upgrading our Live infrastructures.

Jump to Solution
Reply

Posted on --/--/---- --:-- AM
jedihomer
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

As an update, they've all stopped reporting the API call, so I assume it was an internal Google thing that's since auto-updated to the new endpoints

Jump to Solution
Reply
Top Labels in this Space