New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-17941: Tighten the rules for modifying Tuned Profiles #766
OCPBUGS-17941: Tighten the rules for modifying Tuned Profiles #766
Conversation
@jmencak: GitHub didn't allow me to request PR reviews from the following users: jmencak. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jmencak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cc @dagrayvid |
/hold |
NTO operands allow updating Tuned Profiles. This is intentional and by design as some host information needs to be communicated back to the NTO operator, but this also allows a successful local attacker potentially affect node-level configuration of other cluster nodes. This change addresses the situation in two ways. First, scoped RBAC permissions on Profile.status subresource is used to disallow Node-level write access to Profile.spec. Second, the Node resource is used to provide status loops back to NTO using the kubelet credential to write an annotation to the Node resource. This change also simplifies the mechanism for accepting kernel command-line parameters as calculated by the NTO operands. Now, all NTO operands must agree on the calculated kernel command-line parameters. ClusterOperator/node-tuning now also reports operand version. The operand version changes only when all operand replicas have successfully upgraded and are ready. This information is used to block PPC Reconcilation loop until the operator and operand RELEASE_VERSION agree. This is a short-term measure to prevent from multiple node reboots during upgrades. Other fixes: - Disallow MC updates during upgrades when kernel command-line parameters of nodes within a MCP do not match. - ClusterOperator/node-tuning object was sometimes giving false information based on an old Metadata.Generation. Resolves: OCPBUGS-17941
c57e22a
to
4ea760d
Compare
@jmencak: This pull request references Jira Issue OCPBUGS-17941, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@jmencak: This pull request references Jira Issue OCPBUGS-17941, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/payload-aggregate periodic-ci-openshift-release-master-ci-4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-rt-upgrade 10 |
@jmencak: trigger 1 job(s) for the /payload-(job|aggregate) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5df55560-4b20-11ee-8463-642b1079c525-0 |
/retest |
@jmencak: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/jira refresh |
@jmencak: This pull request references Jira Issue OCPBUGS-17941, which is valid. The bug has been moved to the POST state. 6 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (liqcui@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@dagrayvid , when you have a minute, would you be able to review this backport of: #775 ? Thank you. |
Sorry for the delay! /lgtm |
Thank you David. |
/label cherry-pick-approved |
/hold cancel |
45ba090
into
openshift:release-4.13
@jmencak: Jira Issue OCPBUGS-17941: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-17941 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This reverts commit 45ba090.
openshift#766 introduced a fix for OCPBUGS-17941 by tightening the rules for modifying Tuned Profiles. Unfortunately, the fix introduced an upgrade issue (race), where the old operator still relies on removed Profile status.bootcmdline. Reintroduce the field for the old operator, so that it does not cause additional reboots by seeing the bootcmdline as empty. The status.bootcmdline field is not used in any way by the new operator, it is marked as obsolete and will be removed in the future. Resolves: OCPBUGS-19351
#766 introduced a fix for OCPBUGS-17941 by tightening the rules for modifying Tuned Profiles. Unfortunately, the fix introduced an upgrade issue (race), where the old operator still relies on removed Profile status.bootcmdline. Reintroduce the field for the old operator, so that it does not cause additional reboots by seeing the bootcmdline as empty. The status.bootcmdline field is not used in any way by the new operator, it is marked as obsolete and will be removed in the future. Resolves: OCPBUGS-19351 Co-authored-by: Jiri Mencak <jmencak@users.noreply.github.com>
NTO operands allow updating Tuned Profiles. This is intentional and by design
as some host information needs to be communicated back to the NTO operator,
but this also allows a successful local attacker potentially affect node-level
configuration of other cluster nodes.
This change addresses the situation in two ways. First, scoped RBAC
permissions on Profile.status subresource is used to disallow Node-level
write access to Profile.spec. Second, the Node resource is used to provide
status loops back to NTO using the kubelet credential to write an annotation
to the Node resource.
This change also simplifies the mechanism for accepting kernel
command-line parameters as calculated by the NTO operands. Now, all NTO
operands must agree on the calculated kernel command-line parameters.
ClusterOperator/node-tuning now also reports operand version. The
operand version changes only when all operand replicas have successfully
upgraded and are ready. This information is used to block PPC
Reconcilation loop until the operator and operand RELEASE_VERSION agree.
This is a short-term measure to prevent from multiple node reboots
during upgrades.
Other fixes:
parameters of nodes within a MCP do not match.
information based on an old Metadata.Generation.
Resolves: OCPBUGS-17941
This is a backport of #775