Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Tighten the rules for modifying Tuned Profiles
NTO operands allow updating Tuned Profiles. This is intentional and by design as some host information needs to be communicated back to the NTO operator, but this also allows a successful local attacker potentially affect node-level configuration of other cluster nodes. This change addresses the situation in two ways. First, scoped RBAC permissions on Profile.status subresource is used to disallow Node-level write access to Profile.spec. Second, the Node resource is used to provide status loops back to NTO using the kubelet credential to write an annotation to the Node resource. This change also simplifies the mechanism for accepting kernel command-line parameters as calculated by the NTO operands. Now, all NTO operands must agree on the calculated kernel command-line parameters. ClusterOperator/node-tuning now also reports operand version. The operand version changes only when all operand replicas have successfully upgraded and are ready. This information is used to block PPC Reconcilation loop until the operator and operand RELEASE_VERSION agree. This is a short-term measure to prevent from multiple node reboots during upgrades. Other fixes: - Disallow MC updates during upgrades when kernel command-line parameters of nodes within a MCP do not match. - ClusterOperator/node-tuning object was sometimes giving false information based on an old Metadata.Generation. Resolves: OCPBUGS-17585
- Loading branch information
Showing
14 changed files
with
317 additions
and
131 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.