-
Bug
-
Resolution: Unresolved
-
Major
-
4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z, 4.20
Description of problem:
The sysctl net.ipv4.ip_local_reserved_ports has been added in k8s upstream as a safed sysctl parameter since k8s 1.27, also our document mentioned it has been a safed sysctl since OpenShift 4.14. But actually during the partner's test the sysctl net.ipv4.ip_local_reserved_ports is still considered as a unsafed one, when checking the code it turned out the apiserver-library-go was not updated to reflect the upstream changes: 4.14 example: 1. upstream 6 safed sysctl in total: https://github.com/openshift/kubernetes/blob/release-4.14/pkg/kubelet/sysctl/safe_sysctls.go#L45 2. SCC 5 safed sysctls in total: https://github.com/openshift/apiserver-library-go/blob/release-4.14/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L34-L38 4.18: 1: upstream totally 10 sysctls: https://github.com/openshift/kubernetes/blob/release-4.18/pkg/kubelet/sysctl/safe_sysctls.go 2: SCC 9 sysctls: https://github.com/openshift/apiserver-library-go/blob/release-4.18/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L34-L42 4.20 (more sysctls are missing): 1: upstream: https://github.com/openshift/kubernetes/blob/release-4.20/pkg/kubelet/sysctl/safe_sysctls.go#L36-L69 2: SCC: https://github.com/openshift/apiserver-library-go/blob/release-4.20/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L27C1-L44C2
Version-Release number of selected component (if applicable):
4.14 -> 4.20
How reproducible:
Always
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
- blocks
-
-
- POST
-
- is cloned by
-
-
- POST
-
- links to