API-1687: modify EarlyAPICertRotation risk to include promql #4864
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
approved
PratikMahajan
force-pushed
the
earlyapicertrotation-extend-promql
branch
4 times, most recently
from
2045e63
to
55e0625
Compare
sdodson
reviewed
Feb 29, 2024
| url: https://issues.redhat.com/browse/API-1687 | ||
| name: EarlyAPICertRotation | ||
| message: Clusters older than around one month will trigger an api-int certificate authority rollout, and bugs in that rollout may break kubelet access to the Kubernetes API service. | ||
| message: Clusters born in 4.6 and earlier will trigger an api-int certificate authority rollout, and bugs in that rollout may break kubelet access to the Kubernetes API service. |
There was a problem hiding this comment.
Some of the discussion indicated that we believe some early 4.7.z are also vulnerable. Can we change this to just say 4.7? No need to be precise about 4.7.z given we're only able to write promql that applies to 4.9 and earlier.
PratikMahajan
force-pushed
the
earlyapicertrotation-extend-promql
branch
2 times, most recently
from
63e989f
to
6f7f81e
Compare
All clusters originally installed on OpenShift Container Platform (OCP) version 4.7 or earlier. Clusters installed on 4.8 or later and new 4.15 installs are unaffected. due to history pruning in the CVO we cannot reliably detect born in versions less than 4.9. Therefore the conditional update rule will be updated to omit update recommendations in all clusters born in 4.9 or earlier
PratikMahajan
force-pushed
the
earlyapicertrotation-extend-promql
branch
from
6f7f81e
to
d9f27b6
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: PratikMahajan, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Ran the metrics on old and new cluster to confirm that it works |
openshift-merge-bot
bot
merged commit 7a0a8d2
into
openshift:master
4 of 5 checks passed
|
/retitle API-1687: modify EarlyAPICertRotation risk to include promql |
openshift-ci
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All clusters originally installed on OpenShift Container Platform (OCP) version 4.7 or earlier. Clusters installed on 4.8 or later and new 4.15 installs are unaffected.
due to history pruning in the CVO we cannot reliably detect born in versions less than 4.9.
Therefore the conditional update rule will be updated to omit update recommendations in all clusters born in 4.9 or earlier