-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z, 4.20
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
This is a clone of issue OCPBUGS-61684. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-61683. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-61682. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-61681. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-61679. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-58313. The following is the description of the original issue:
—
Description of problem:
The sysctl net.ipv4.ip_local_reserved_ports has been added in k8s upstream as a safed sysctl parameter since k8s 1.27, also our document mentioned it has been a safed sysctl since OpenShift 4.14. But actually during the partner's test the sysctl net.ipv4.ip_local_reserved_ports is still considered as a unsafed one, when checking the code it turned out the apiserver-library-go was not updated to reflect the upstream changes: 4.14 example: 1. upstream 6 safed sysctl in total: https://github.com/openshift/kubernetes/blob/release-4.14/pkg/kubelet/sysctl/safe_sysctls.go#L45 2. SCC 5 safed sysctls in total: https://github.com/openshift/apiserver-library-go/blob/release-4.14/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L34-L38 4.18: 1: upstream totally 10 sysctls: https://github.com/openshift/kubernetes/blob/release-4.18/pkg/kubelet/sysctl/safe_sysctls.go 2: SCC 9 sysctls: https://github.com/openshift/apiserver-library-go/blob/release-4.18/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L34-L42 4.20 (more sysctls are missing): 1: upstream: https://github.com/openshift/kubernetes/blob/release-4.20/pkg/kubelet/sysctl/safe_sysctls.go#L36-L69 2: SCC: https://github.com/openshift/apiserver-library-go/blob/release-4.20/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L27C1-L44C2
Version-Release number of selected component (if applicable):
4.14 -> 4.20
How reproducible:
Always
Steps to Reproduce:
1. 2. 3.
Actual results:
Expected results:
Additional info:
- blocks
-
OCPBUGS-61686 [release-4.14]apiserver-library-go shall be updated to include more safed sysctl to reflect upstream changes
-
- New
-
- clones
-
OCPBUGS-61684 [release-4.16]apiserver-library-go shall be updated to include more safed sysctl to reflect upstream changes
-
- New
-
- is blocked by
-
OCPBUGS-61684 [release-4.16]apiserver-library-go shall be updated to include more safed sysctl to reflect upstream changes
-
- New
-
- is cloned by
-
OCPBUGS-61686 [release-4.14]apiserver-library-go shall be updated to include more safed sysctl to reflect upstream changes
-
- New
-