Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Labels:
None

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
None
Story Points:
None

Target Version:
None
Release Blocker:
None
Sprint:
None

HIVE-2212 made hiveadmission restrict to minimum TLS version 1.3 to satisfy a security audit from ACM driven by ACM-5192 => ACM-5216.

Today when testing via ACM2.8/MCE2.3 on OCP4.11, the ACM team discovered that the hiveadmission pods were unhealthy:

  Warning  Unhealthy  2m25s (x7509 over 18h)  kubelet, o4-ibmvm-02-n7jl5-worker-bgd56  Readiness probe failed: Get "https://10.131.0.89:9443/healthz": remote error: tls: protocol version not supported

This is because this particular env was using TLS1.2.

Due to time considerations, we're going to roll back the change in mce-2.3 and then figure out how to move forward.

More context in slack

relates to

HIVE-2816 Evaluate Readiness Requirements for PQC in Hive

New

HIVE-3007 TLS minimum version 1.3 for hiveadmission pods

New

links to

openshift/hive#2041: Revert "Require TLS cipher min version TLSv1.3"

openshift/hive#2053: Revert "Require TLS cipher min version TLSv1.3"

Assignee:: Eric Fried

Reporter:: Eric Fried

Need Info From:: None

Contributors:: None

QA Contact:: Jianping Shu

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2023/06/06 2:21 PM

Updated:: 2025/11/20 6:53 PM

Resolved:: 2023/06/30 8:39 AM