Loading...

XML

Word

Printable

Type: Spike
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- UpgradeBlocker
- migrated-from-sdn

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
None
Story Points:
None

Target Version:
None
Sprint:
None

Impact of the ~~OCPBUGS-28920~~ series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

Upgrades from 4.11 and 4.12.x<48 to 4.12.48+
Upgrades from 4.12.x<48 and 4.13.x<29 to 4.13.30+
Upgrades from 4.13.x<30 and 4.14.x<9 to 4.14.9+ are not exposed.
Upgrades from 4.14.x<9 to 4.15.0-rc.1+ are not exposed.

Which types of clusters?

Clusters with ingress controller config EndpointPublishingStrategy=HostNetwork AND using Network policies with rule policy-group.network.openshift.io/ingress: ""
Only clusters on non-cloud platforms use the HostNetwork endpoint publishing strategy: None, BareMetal, VSphere, OpenStack, Nutanix, Libvirt, KubeVirt, EquinixMetal, and External and therefore are affected if they use NetworkPolicies with rule policy-group.network.openshift.io/ingress: ""
Clusters on cloud platforms use LoadBalancer endpoint publishing strategy: Alibaba, AWS, Azure, GCP, IBMCloud, and PowerVS, so these platforms are NOT affected

What is the impact? Is it serious enough to warrant removing update recommendations?

Namespaces that allowed incoming connections from the router pods with a given network policy rule ^ will block them after upgrade, which may lead to different disruptions (based on what those pods were doing, but considering they created this network policy in the first place, they are likely to be affected)

How involved is remediation?

there are multiple workarounds listed https://access.redhat.com/solutions/7055050

Is this a regression?

Yes, the the list where it was introduced:
- 4.13.30 https://issues.redhat.com/browse/OCPBUGS-22293
- 4.12.48 https://issues.redhat.com/browse/OCPBUGS-24039
Related changes are also present in other minor versions but these were confirmed to be not affected by the bug, listing them here for informational purposes:
- 4.16.0-ec.0 https://issues.redhat.com/browse/OCPBUGS-24691
- 4.15.0-rc.1 https://issues.redhat.com/browse/OCPBUGS-24036
- 4.14.9 https://issues.redhat.com/browse/OCPBUGS-24037
- 4.14.0+ since https://issues.redhat.com//browse/OCPBUGS-8070 may have a similar, but less severe problem (namespace labels may also flip, but less often)

blocks

OCPBUGS-28920 OCP 4.13.30 - allow-from-ingress NetworkPolicy does not consistently allow traffic from HostNetworked pods or from node IP's (packet timeout)

Closed

links to

openshift/cincinnati-graph-data#4744: SDN-4481: Set up `NetPolicyTimeoutsHostNetworkedPodTraffic`

openshift/cincinnati-graph-data#4762: NetPolicyTimeoutsHostNetworkedPodTraffic: Exclude cloud platforms from exposure

openshift/cincinnati-graph-data#4766: SDN-4481: Risk NetPolicyTimeoutsHostNetworkedPodTraffic does not impact 4.14+

Routes are unreachable after upgrading OpenShift to 4.13.30

Solution: OpenShift 4.13.30 - Intermittent 503 from all routes or timeouts when calling to backends directly when `allow-from-openshift-ingress` network policy is applied

(1 links to)

Assignee:: Nadia Pinaeva (Inactive)

Reporter:: Petr Muller

Need Info From:: None

Contributors:: None

QA Contact:: None

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 18 Start watching this issue

Created:: 2024/02/07 12:39 PM

Updated:: 2025/09/13 11:29 PM

Resolved:: 2024/02/16 2:54 AM

Details

Description

Which 4.y.z to 4.y'.z' updates increase vulnerability?

Which types of clusters?

What is the impact? Is it serious enough to warrant removing update recommendations?

How involved is remediation?

Is this a regression?

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty

Hide