Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-58313

apiserver-library-go shall be updated to include more safed sysctl to reflect upstream changes

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • In Progress
    • Release Note Not Required
    • None
    • None

      Description of problem:

      The sysctl net.ipv4.ip_local_reserved_ports has been added in k8s upstream as a safed sysctl parameter since k8s 1.27, also our document mentioned it has been a safed sysctl since OpenShift 4.14. 
      
      But actually during the partner's test the sysctl net.ipv4.ip_local_reserved_ports is still considered as a unsafed one, when checking the code it turned out the apiserver-library-go was not updated to reflect the upstream changes:
      
      4.14 example: 
      
      1. upstream 6 safed sysctl in total: https://github.com/openshift/kubernetes/blob/release-4.14/pkg/kubelet/sysctl/safe_sysctls.go#L45
      2. SCC 5 safed sysctls in total: https://github.com/openshift/apiserver-library-go/blob/release-4.14/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L34-L38
      
      4.18:
      1: upstream totally 10 sysctls: https://github.com/openshift/kubernetes/blob/release-4.18/pkg/kubelet/sysctl/safe_sysctls.go 
      2: SCC 9 sysctls: https://github.com/openshift/apiserver-library-go/blob/release-4.18/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L34-L42
      
      4.20 (more sysctls are missing): 
      1: upstream: https://github.com/openshift/kubernetes/blob/release-4.20/pkg/kubelet/sysctl/safe_sysctls.go#L36-L69
      2: SCC: https://github.com/openshift/apiserver-library-go/blob/release-4.20/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L27C1-L44C2

      Version-Release number of selected component (if applicable):

      4.14 -> 4.20

      How reproducible:

      Always    

      Steps to Reproduce:

      1. 
      2. 
      3. 
          

      Actual results:

       

      Expected results:

       

      Additional info:

       

              rh-ee-jujohn Jubitta John
              bzhai@redhat.com XIAOBO ZHAI
              None
              None
              Xingxing Xia Xingxing Xia
              None
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: