OCPBUGS-17585: Tighten the rules for modifying Tuned Profiles

[jmencak]

NTO operands allow updating Tuned Profiles. This is intentional and by design
as some host information needs to be communicated back to the NTO operator,
but this also allows a successful local attacker potentially affect node-level
configuration of other cluster nodes.

This change addresses the situation in two ways. First, scoped RBAC
permissions on Profile.status subresource is used to disallow Node-level
write access to Profile.spec. Second, the Node resource is used to provide
status loops back to NTO using the kubelet credential to write an annotation
to the Node resource.

This change also simplifies the mechanism for accepting kernel
command-line parameters as calculated by the NTO operands. Now, all NTO
operands must agree on the calculated kernel command-line parameters.

ClusterOperator/node-tuning now also reports operand version. The
operand version changes only when all operand replicas have successfully
upgraded and are ready. This information is used to block PPC
Reconcilation loop until the operator and operand RELEASE_VERSION agree.
This is a short-term measure to prevent from multiple node reboots
during upgrades.

Other fixes:

• Disallow MC updates during upgrades when kernel command-line
  parameters of nodes within a MCP do not match.
• ClusterOperator/node-tuning object was sometimes giving false
  information based on an old Metadata.Generation.

Resolves: OCPBUGS-17585

[openshift-ci]

@jmencak: GitHub didn't allow me to request PR reviews from the following users: jmencak.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

NTO operands allow updating Tuned Profiles. This is intentional and by design
as some host information needs to be communicated back to the NTO operator,
but this also allows a successful local attacker potentially affect node-level
configuration of other cluster nodes.

This change addresses the situation in two ways. First, scoped RBAC
permissions on Profile.status subresource is used to disallow Node-level
write access to Profile.spec. Second, the Node resource is used to provide
status loops back to NTO using the kubelet credential to write an annotation
to the Node resource.

Resolves: OCPBUGS-17585

/cc

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jmencak]

/payload-aggregate periodic-ci-openshift-release-master-ci-4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-rt-upgrade 10

[openshift-ci]

@jmencak: trigger 1 job(s) for the /payload-(job|aggregate) command

• periodic-ci-openshift-release-master-ci-4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-rt-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4c0e1b00-4668-11ee-83f0-1bac13c94f74-0

[openshift-ci]

@jmencak: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test e2e-aws-operator
• /test e2e-aws-ovn
• /test e2e-gcp-pao
• /test e2e-gcp-pao-updating-profile
• /test e2e-gcp-pao-workloadhints
• /test e2e-hypershift
• /test e2e-no-cluster
• /test e2e-upgrade
• /test images
• /test unit
• /test verify
• /test vet

Use /test all to run all jobs.

In response to this:

/test ci/prow/e2e-gcp-pao-updating-profile

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jmencak]

/retest

[jmencak]

/payload-aggregate periodic-ci-openshift-release-master-ci-4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-rt-upgrade 10

[openshift-ci]

@jmencak: trigger 1 job(s) for the /payload-(job|aggregate) command

• periodic-ci-openshift-release-master-ci-4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-rt-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/829adea0-46fa-11ee-9c97-6d9651431b8b-0

[jmencak]

/cc @MarSik
As discussed on Monday, only block PPC reconciliation loop on upgrades. I've intentionally split this PR into 2 commits. The first one was already reviewed by @dagrayvid . Please take a look at mostly the parts affecting PPC.

[openshift-ci-robot]

@jmencak: This pull request references Jira Issue OCPBUGS-17585, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.0) matches configured target version for branch (4.14.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (liqcui@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

NTO operands allow updating Tuned Profiles. This is intentional and by design
as some host information needs to be communicated back to the NTO operator,
but this also allows a successful lTighten the rules for modifying Tuned Profiles

NTO operands allow updating Tuned Profiles. This is intentional and by design
as some host information needs to be communicated back to the NTO operator,
but this also allows a successful local attacker potentially affect node-level
configuration of other cluster nodes.

This change addresses the situation in two ways. First, scoped RBAC
permissions on Profile.status subresource is used to disallow Node-level
write access to Profile.spec. Second, the Node resource is used to provide
status loops back to NTO using the kubelet credential to write an annotation
to the Node resource.

This change also simplifies the mechanism for accepting kernel
command-line parameters as calculated by the NTO operands. Now, all NTO
operands must agree on the calculated kernel command-line parameters.

ClusterOperator/node-tuning now also reports operand version. The
operand version changes only when all operand replicas have successfully
upgraded and are ready. This information is used to block PPC
Reconcilation loop until the operator and operand RELEASE_VERSION agree.
This is a short-term measure to prevent from multiple node reboots
during upgrades.

Other fixes:

• Disallow MC updates during upgrades when kernel command-line
  parameters of nodes within a MCP do not match.
• ClusterOperator/node-tuning object was sometimes giving false
  information based on an old Metadata.Generation.

Resolves: OCPBUGS-17585

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jmencak]

/payload-aggregate periodic-ci-openshift-release-master-ci-4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-rt-upgrade 10

[openshift-ci]

@jmencak: trigger 1 job(s) for the /payload-(job|aggregate) command

• periodic-ci-openshift-release-master-ci-4.14-upgrade-from-stable-4.13-e2e-gcp-ovn-rt-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/9e0ccd00-4732-11ee-97fb-2046709d4fbf-0

[openshift-ci-robot]

@jmencak: This pull request references Jira Issue OCPBUGS-17585, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.0) matches configured target version for branch (4.14.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (liqcui@redhat.com), skipping review request.

In response to this:

NTO operands allow updating Tuned Profiles. This is intentional and by design
as some host information needs to be communicated back to the NTO operator,
but this also allows a successful local attacker potentially affect node-level
configuration of other cluster nodes.

This change addresses the situation in two ways. First, scoped RBAC
permissions on Profile.status subresource is used to disallow Node-level
write access to Profile.spec. Second, the Node resource is used to provide
status loops back to NTO using the kubelet credential to write an annotation
to the Node resource.

This change also simplifies the mechanism for accepting kernel
command-line parameters as calculated by the NTO operands. Now, all NTO
operands must agree on the calculated kernel command-line parameters.

ClusterOperator/node-tuning now also reports operand version. The
operand version changes only when all operand replicas have successfully
upgraded and are ready. This information is used to block PPC
Reconcilation loop until the operator and operand RELEASE_VERSION agree.
This is a short-term measure to prevent from multiple node reboots
during upgrades.

Other fixes:

• Disallow MC updates during upgrades when kernel command-line
  parameters of nodes within a MCP do not match.
• ClusterOperator/node-tuning object was sometimes giving false
  information based on an old Metadata.Generation.

Resolves: OCPBUGS-17585

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@jmencak: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jmencak]

@MarSik, all tests passed and the blocking job also succeeded successfully all 3 times I tried. I belive I've hopefully also addressed your concerns.

[MarSik]

Will this propagate to the Status section of the Tuned object?

[jmencak]

Not sure what you mean. Tuned CR/object doesn't really use status.

[MarSik]

/lgtm

I like it, just make sure the user will be visibly informed when the nodes do not agree and update is blocked. The same about the version mismatch, we should report that in the status (probably as a condition).

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jmencak, MarSik

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [MarSik,jmencak]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jmencak]

I like it, just make sure the user will be visibly informed when the nodes do not agree and update is blocked. The same about the version mismatch, we should report that in the status (probably as a condition).

Let's do this as a follow up PR, this needs to get in.

/label acknowledge-critical-fixes-only

[openshift-ci-robot]

@jmencak: Jira Issue OCPBUGS-17585: All pull requests linked via external trackers have merged:

• openshift/cluster-node-tuning-operator#765
• openshift/cluster-node-tuning-operator#775

Jira Issue OCPBUGS-17585 has been moved to the MODIFIED state.

In response to this:

NTO operands allow updating Tuned Profiles. This is intentional and by design
as some host information needs to be communicated back to the NTO operator,
but this also allows a successful local attacker potentially affect node-level
configuration of other cluster nodes.

This change addresses the situation in two ways. First, scoped RBAC
permissions on Profile.status subresource is used to disallow Node-level
write access to Profile.spec. Second, the Node resource is used to provide
status loops back to NTO using the kubelet credential to write an annotation
to the Node resource.

This change also simplifies the mechanism for accepting kernel
command-line parameters as calculated by the NTO operands. Now, all NTO
operands must agree on the calculated kernel command-line parameters.

ClusterOperator/node-tuning now also reports operand version. The
operand version changes only when all operand replicas have successfully
upgraded and are ready. This information is used to block PPC
Reconcilation loop until the operator and operand RELEASE_VERSION agree.
This is a short-term measure to prevent from multiple node reboots
during upgrades.

Other fixes:

• Disallow MC updates during upgrades when kernel command-line
  parameters of nodes within a MCP do not match.
• ClusterOperator/node-tuning object was sometimes giving false
  information based on an old Metadata.Generation.

Resolves: OCPBUGS-17585

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.