Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.13, 4.14
Component/s: Cloud Compute / Other Provider
Labels:
None

Regression:
No
Sprint:
CLOUD Sprint 234, CLOUD Sprint 235
sprint_count:
2
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:
N/A
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.13.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Kubernetes 1.27 changes validation of CSR for non-RSA kubelet client/serving CSRs, see https://github.com/kubernetes/kubernetes/issues/109077 and the PR changing https://github.com/kubernetes/kubernetes/pull/111660.

For that reason our machine-config-approver needs to relax the validation in https://github.com/openshift/cluster-machine-approver/blob/d74f42bb37c4130ae1e91819d90ad40a51ec472b/pkg/controller/csr_check.go#L84-L86 such that it appropriately expects the necessary key usage.

Attachments

Issue Links

clones

OCPBUGS-11225 Relax CSR check due to k8s 1.27 changes

Closed

depends on

OCPBUGS-11225 Relax CSR check due to k8s 1.27 changes

Closed

links to

openshift/cluster-machine-approver#185: [release-4.13] OCPBUGS-11227: approver: fix ECDSA approvals in 1.27

openshift/cluster-machine-approver#187: [release-4.13] OCPBUGS-11227: Update isNodeClientCert to allow for new key usages

openshift/cluster-machine-approver#190: [release-4.13] OCPBUGS-11227: Update node client allowed usages

Activity

People

Assignee:: Joel Speed

Reporter:: Maciej Szulik

QA Contact:: Milind Yadav

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2023/03/31 3:30 PM

Updated:: 2023/05/17 10:44 PM

Resolved:: 2023/05/17 10:44 PM