Uploaded image for project: 'OpenShift Runtimes'
  1. OpenShift Runtimes
  2. RUN-1668

Impact: 4.11 upgrade to 4.12, prometheus-operator-admission-webhook pod is failed to start up due to "error loading seccomp filter into kernel: error loading seccomp filter: errno 524"

XMLWordPrintable

    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • None
    • False
    • None
    • False

      ==============================================================================================================================

      This Jira is used to track to collect the impact statement for the bug OCPBUGS-2637 from the respective component team

      ==============================================================================================================================
      Impact statement

      > Which 4.y.z to 4.y'.z' updates increase vulnerability? Which types of clusters?

      Only ARM64 clusters. 4.10 -> 4.11.z, for any z >= 0 till the bug is fixed in 4.11.z

      > What is the impact? Is it serious enough to warrant removing update recommendations?

      Especially in conditions consisting of a huge density of containers per node (>470), some containers can fail at creation time with a seccomp-related issue.

      CreateContainerFailed: init seccomp caused: error loading seccomp filter into kernel: loading seccomp filter: errno 524

      > How involved is remediation?

      Update to a 4.11.z release with the fix, to be announced in errata.

      > Any other possible remediation?

      Remove the seccompProfiles array from the restricted-v2 SecurityContextConstraint

      Is this a regression?

      Yes, any OCP from 4.11.0+ included a new SecurityContextConstraint, restricted-v2, that by default binds a seccompProfile to the workloads.

      ===============================================================================================================================
      Impact assessment questions

      We're asking the following questions to evaluate whether or not OCPBUGS-2637 warrants changing update recommendations from either the previous X.Y or X.Y.Z. The ultimate goal is to avoid delivering an update that introduces new risks or reduces cluster functionality in any way. Sample answers are provided to give more context and the ImpactStatementRequested label has been added to OCPBUGS-2637. When responding, please move this ticket to Code Review. The expectation is that the OCPBUGS-2637 assignee answers these questions.

      Which 4.y.z to 4.y'.z' updates increase vulnerability? Which types of clusters?

      What is the impact? Is it serious enough to warrant removing update recommendations?

      How involved is remediation?

      Is this a regression?

            amccrae Andy McCrae
            pratikam Pratik Mahajan
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: