Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: 4.14.0
Affects Version/s: 4.13, 4.14
Component/s: Cloud Compute / Other Provider
Labels:
None

Regression:
No
Sprint:
CLOUD Sprint 234, CLOUD Sprint 235
sprint_count:
2
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:
N/A
Release Note Type:
Release Note Not Required
Release Note Status:
Done
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Kubernetes 1.27 changes validation of CSR for non-RSA kubelet client/serving CSRs, see https://github.com/kubernetes/kubernetes/issues/109077 and the PR changing https://github.com/kubernetes/kubernetes/pull/111660.

For that reason our machine-config-approver needs to relax the validation in https://github.com/openshift/cluster-machine-approver/blob/d74f42bb37c4130ae1e91819d90ad40a51ec472b/pkg/controller/csr_check.go#L84-L86 such that it appropriately expects the necessary key usage.

Attachments

Issue Links

is cloned by

OCPBUGS-11227 Relax CSR check due to k8s 1.27 changes

Closed

is depended on by

OCPBUGS-11227 Relax CSR check due to k8s 1.27 changes

Closed

links to

openshift/cluster-machine-approver#184: OCPBUGS-11225: approver: fix ECDSA approvals in 1.17

openshift/cluster-machine-approver#186: OCPBUGS-11225: Update isNodeClientCert to allow for new key usages

openshift/cluster-machine-approver#189: OCPBUGS-11225: Update node client allowed usages

RHEA-2023:5006 rpm

(1 links to)

Activity

People

Assignee:: Joel Speed

Reporter:: Maciej Szulik

QA Contact:: Milind Yadav

Doc Contact:: Jeana Routh

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2023/03/31 3:26 PM

Updated:: 2023/10/31 1:34 PM

Resolved:: 2023/10/31 1:34 PM