Loading...

XML

Word

Printable

Type: Spike
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- UpgradeBlocker

Blocked:
False
Blocked Reason:
None
Ready:
False
[QE] How to address?:
---
Intelligence Requested:
Market:

Cost of Delay:
0
WSJF:
0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Impact of the OCPBUGS-28920 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

Upgrades from 4.11 and 4.12.x<48 to 4.12.48+
Upgrades from 4.12.x<48 and 4.13.x<29 to 4.13.30+
Upgrades from 4.13.x<30 and 4.14.x<9 to 4.14.9+ are not exposed.
Upgrades from 4.14.x<9 to 4.15.0-rc.1+ are not exposed.

Which types of clusters?

Clusters with ingress controller config EndpointPublishingStrategy=HostNetwork AND using Network policies with rule policy-group.network.openshift.io/ingress: ""
Only clusters on non-cloud platforms use the HostNetwork endpoint publishing strategy: None, BareMetal, VSphere, OpenStack, Nutanix, Libvirt, KubeVirt, EquinixMetal, and External and therefore are affected if they use NetworkPolicies with rule policy-group.network.openshift.io/ingress: ""
Clusters on cloud platforms use LoadBalancer endpoint publishing strategy: Alibaba, AWS, Azure, GCP, IBMCloud, and PowerVS, so these platforms are NOT affected

What is the impact? Is it serious enough to warrant removing update recommendations?

Namespaces that allowed incoming connections from the router pods with a given network policy rule ^ will block them after upgrade, which may lead to different disruptions (based on what those pods were doing, but considering they created this network policy in the first place, they are likely to be affected)

How involved is remediation?

there are multiple workarounds listed https://access.redhat.com/solutions/7055050

Is this a regression?

Yes, the the list where it was introduced:
- 4.13.30 https://issues.redhat.com/browse/OCPBUGS-22293
- 4.12.48 https://issues.redhat.com/browse/OCPBUGS-24039
Related changes are also present in other minor versions but these were confirmed to be not affected by the bug, listing them here for informational purposes:
- 4.16.0-ec.0 https://issues.redhat.com/browse/OCPBUGS-24691
- 4.15.0-rc.1 https://issues.redhat.com/browse/OCPBUGS-24036
- 4.14.9 https://issues.redhat.com/browse/OCPBUGS-24037
- 4.14.0+ since https://issues.redhat.com//browse/OCPBUGS-8070 may have a similar, but less severe problem (namespace labels may also flip, but less often)

blocks

OCPBUGS-28920 OCP 4.13.30 - allow-from-ingress NetworkPolicy does not consistently allow traffic from HostNetworked pods or from node IP's (packet timeout)