Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z, 4.20
Component/s: apiserver-auth
Labels:
- telco-5g

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:

4.19.z
Release Blocker:
None
Sprint:
None

RH Private Keywords:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue OCPBUGS-61679. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-58313. The following is the description of the original issue:
—
Description of problem:

The sysctl net.ipv4.ip_local_reserved_ports has been added in k8s upstream as a safed sysctl parameter since k8s 1.27, also our document mentioned it has been a safed sysctl since OpenShift 4.14. 

But actually during the partner's test the sysctl net.ipv4.ip_local_reserved_ports is still considered as a unsafed one, when checking the code it turned out the apiserver-library-go was not updated to reflect the upstream changes:

4.14 example: 

1. upstream 6 safed sysctl in total: https://github.com/openshift/kubernetes/blob/release-4.14/pkg/kubelet/sysctl/safe_sysctls.go#L45
2. SCC 5 safed sysctls in total: https://github.com/openshift/apiserver-library-go/blob/release-4.14/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L34-L38

4.18:
1: upstream totally 10 sysctls: https://github.com/openshift/kubernetes/blob/release-4.18/pkg/kubelet/sysctl/safe_sysctls.go 
2: SCC 9 sysctls: https://github.com/openshift/apiserver-library-go/blob/release-4.18/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L34-L42

4.20 (more sysctls are missing): 
1: upstream: https://github.com/openshift/kubernetes/blob/release-4.20/pkg/kubelet/sysctl/safe_sysctls.go#L36-L69
2: SCC: https://github.com/openshift/apiserver-library-go/blob/release-4.20/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L27C1-L44C2

Version-Release number of selected component (if applicable):

4.14 -> 4.20

How reproducible:

Always

Steps to Reproduce:

1. 
2. 
3.

Actual results:

Expected results:

Additional info:

blocks

OCPBUGS-61682 [release-4.18]apiserver-library-go shall be updated to include more safed sysctl to reflect upstream changes

clones

OCPBUGS-61679 [release-4.20]apiserver-library-go shall be updated to include more safed sysctl to reflect upstream changes

POST

is blocked by

OCPBUGS-61679 [release-4.20]apiserver-library-go shall be updated to include more safed sysctl to reflect upstream changes

POST

is cloned by

OCPBUGS-61682 [release-4.18]apiserver-library-go shall be updated to include more safed sysctl to reflect upstream changes

Assignee:: Jubitta John

Reporter:: XIAOBO ZHAI

Need Info From:: None

Contributors:: None

QA Contact:: Xingxing Xia

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/09/12 3:09 PM

Updated:: 2025/09/12 7:03 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide