-
Spike
-
Resolution: Done
-
Critical
-
None
-
None
-
None
-
None
-
False
-
-
False
-
None
-
None
-
None
-
None
This card is only for the impact assessment of bug: OCPBUGS-9971
Which 4.y.z to 4.y'.z' updates increase vulnerability?
This issue will occur when a cluster born on OCP 4.6 and below and has been upgraded to OCP 4.11.0 or any further releases.
Which types of clusters?
Clusters installed on AWS platform which has machinesets with IMDSv2 enabled.
To find machinesets with configured IMDSv2:
oc get machines -n openshift-machine-api --field-selector spec.providerSpec.value.metadataServiceOptions.authentication=Required
What is the impact? Is it serious enough to warrant removing update recommendations?
OCP cluster that was originally created from OCP 4.6.x and has been upgraded to 4.11.0 or any further releases will see the issue.
Due to CoreOS version used in OCP 4.6 and below does not support IMDSv2 [1] it's not possible to use this functionality in clusters which using such bootimages.
As result machinesets where IMDSv2 is enabled can not scale up. Machinesets where IMDSv2 is not configured are not impacted.
[1] https://issues.redhat.com/browse/OCPBUGSM-20654
How involved is remediation?
To resolve the problem cluster bootimage needs to be updated to 4.7 or later releases.
Alternatively, IMDSv2 might be disabled for machinesets.
Is this a regression?
No. For impacted clusters IMDSv2 feature of machinesets never worked.
- blocks
-
OCPBUGS-9971 [AWS] Machine does not boot if IMDSv2 enabled via machineset and bootimage belong to Openshift's version lower than 4.7
-
- Closed
-