Uploaded image for project: 'OpenShift Cloud'
  1. OpenShift Cloud
  2. OCPCLOUD-2008

Impact statement request for OCPBUGS-9971

XMLWordPrintable

    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None

      This card is only for the impact assessment of bug: OCPBUGS-9971

       
      Which 4.y.z to 4.y'.z' updates increase vulnerability?
      This issue will occur when a cluster born on OCP 4.6 and below and has been upgraded to OCP 4.11.0 or any further releases.

      Which types of clusters?
      Clusters installed on AWS platform which has machinesets with IMDSv2 enabled.
      To find machinesets with configured IMDSv2:

      oc get machines -n openshift-machine-api --field-selector spec.providerSpec.value.metadataServiceOptions.authentication=Required
      

      What is the impact? Is it serious enough to warrant removing update recommendations?
      OCP cluster that was originally created from OCP 4.6.x and has been upgraded to 4.11.0 or any further releases will see the issue.
      Due to CoreOS version used in OCP 4.6 and below does not support IMDSv2 [1] it's not possible to use this functionality in clusters which using such bootimages.
      As result machinesets where IMDSv2 is enabled can not scale up. Machinesets where IMDSv2 is not configured are not impacted.

      [1] https://issues.redhat.com/browse/OCPBUGSM-20654

      How involved is remediation?
      To resolve the problem cluster bootimage needs to be updated to 4.7 or later releases.
      Alternatively, IMDSv2 might be disabled for machinesets.

      Is this a regression?
      No. For impacted clusters IMDSv2 feature of machinesets never worked.

              dmoiseev Denis Moiseev (Inactive)
              lmohanty@redhat.com Lalatendu Mohanty
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: