Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-61681

[release-4.19]apiserver-library-go shall be updated to include more safed sysctl to reflect upstream changes

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z, 4.20
    • apiserver-auth
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-61679. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-58313. The following is the description of the original issue:

      Description of problem:

      The sysctl net.ipv4.ip_local_reserved_ports has been added in k8s upstream as a safed sysctl parameter since k8s 1.27, also our document mentioned it has been a safed sysctl since OpenShift 4.14. 
      
      But actually during the partner's test the sysctl net.ipv4.ip_local_reserved_ports is still considered as a unsafed one, when checking the code it turned out the apiserver-library-go was not updated to reflect the upstream changes:
      
      4.14 example: 
      
      1. upstream 6 safed sysctl in total: https://github.com/openshift/kubernetes/blob/release-4.14/pkg/kubelet/sysctl/safe_sysctls.go#L45
      2. SCC 5 safed sysctls in total: https://github.com/openshift/apiserver-library-go/blob/release-4.14/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L34-L38
      
      4.18:
      1: upstream totally 10 sysctls: https://github.com/openshift/kubernetes/blob/release-4.18/pkg/kubelet/sysctl/safe_sysctls.go 
      2: SCC 9 sysctls: https://github.com/openshift/apiserver-library-go/blob/release-4.18/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L34-L42
      
      4.20 (more sysctls are missing): 
      1: upstream: https://github.com/openshift/kubernetes/blob/release-4.20/pkg/kubelet/sysctl/safe_sysctls.go#L36-L69
      2: SCC: https://github.com/openshift/apiserver-library-go/blob/release-4.20/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L27C1-L44C2

      Version-Release number of selected component (if applicable):

      4.14 -> 4.20

      How reproducible:

      Always    

      Steps to Reproduce:

      1. 
      2. 
      3. 
          

      Actual results:

       

      Expected results:

       

      Additional info:

       

              rh-ee-jujohn Jubitta John
              bzhai@redhat.com XIAOBO ZHAI
              None
              None
              Xingxing Xia Xingxing Xia
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: