Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-522

Impact Guard mint-mode GCP 4.14 to 4.15 on sufficient creds

XMLWordPrintable

    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • None
    • False
    • None
    • False

      This is an impact statement for OCPBUGS-28231.

      Which 4.y.z to 4.y'.z' updates increase vulnerability?

      • 4.14 to 4.15 upgrades have a new role requirement (roleAdmin) on the root credential.

      Which types of clusters?

      • example: GCP clusters mint credentials. Check your vulnerability with:
      $ oc get -o jsonpath='{.status.platformStatus.type}{"\n"}' infrastructure cluster
      GCP
      

      And then this worksheet to determine your credential mode.

      Or the following PromQL:

      (
        group by (mode) (cco_credentials_mode{mode="mint"})
        or
        0 * group by (mode) (cco_credentials_mode)
      )
      * on () group_left (type)
      (
        group by (type) (cluster_infrastructure_provider{type="GCP"})
        or
        0 * group by (type) (cluster_infrastructure_provider)
      )
      

      What is the impact? Is it serious enough to warrant removing update recommendations?

      • The update will wedge on the CCO ClusterOperator being unable to mint the incoming 4.15 creds.

      How involved is remediation?

      Is this a regression?

      • Yes. While the permission is part of a new feature, the customer experiences a blocking error in cloud-credential-operator that they didn't previously experience.

            jstuever@redhat.com Jeremiah Stuever
            trking W. Trevor King
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: