Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HOSTEDCP-1941: blocked-edges/*HyperShiftNodePoolSkewBinaryDownload: Declare new risk for 4.15.(z>=23) and 4.16.(z>=4) #5819

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

HOSTEDCP-1941: blocked-edges/*HyperShiftNodePoolSkewBinaryDownload: Declare new risk for 4.15.(z>=23) and 4.16.(z>=4) #5819

wants to merge 2 commits into from

Conversation

wking
Copy link
Member

@wking wking commented Aug 30, 2024
edited
Loading

Generated by writing the 4.15.23 an 4.16.4 files by hand and copying them out with:

$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.15&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]15[.]\(2[4-9]\|[3-9][0-9]\)$' | while read VERSION; do sed "s/4.15.23/${VERSION}/" blocked-edges/4.15.23-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done
$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.16&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]16[.]\([5-9]\|[1-9][0-9]\)$' | while read VERSION; do sed "s/4.16.4/${VERSION}/" blocked-edges/4.16.4-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done

I'm not aware of PromQL for "what version NodePools are attached to this cluster?", but if that PromQL does exist, it would likely reduce the scope of matching clusters considerably.

@wking wking changed the title blocked-edges/*HyperShiftNodePoolSkewBinaryDownload: Declare new risk for 4.15.(z>=23) and 4.16.(z>=4) HOSTEDCP-1941: blocked-edges/*HyperShiftNodePoolSkewBinaryDownload: Declare new risk for 4.15.(z>=23) and 4.16.(z>=4) Aug 30, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 30, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Aug 30, 2024
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 30, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Aug 30, 2024
edited by openshift-ci bot
Loading

@wking: This pull request references HOSTEDCP-1941 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set.

In response to this:

Generated by writing the 4.15.23 an 4.16.4 files by hand and copying them out with:

$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.15&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]15[.]\(2[4-9]\|[3-9][0-9]\)$' | while read VERSION; do sed "s/4.15.23/${VERSION}/" blocked-edges/4.15.23-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done
$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.16&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]16[.]\([5-9]\|[1-9][0-9]\)$' | while read VERSION; do sed "s/4.16.4/${VERSION}/"
blocked-edges/4.16.4-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done

I'm not aware of PromQL for "what version NodePools are attached to this cluster?", but if that PromQL does exist, it would likely reduce the scope of matching clusters considerably.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@wking
Copy link
Member Author

wking commented Aug 30, 2024

/hold waiting for HyperShift folks to post an impact statement to https://issues.redhat.com/browse/HOSTEDCP-1941 , in case I'm misunderstanding exposure

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 30, 2024
@wking
Copy link
Member Author

wking commented Aug 30, 2024

The impact statement is populated in HOSTEDCP-1941.

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 30, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Aug 30, 2024
edited by openshift-ci bot
Loading

@wking: This pull request references HOSTEDCP-1941 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set.

In response to this:

Generated by writing the 4.15.23 an 4.16.4 files by hand and copying them out with:

$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.15&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]15[.]\(2[4-9]\|[3-9][0-9]\)$' | while read VERSION; do sed "s/4.15.23/${VERSION}/" blocked-edges/4.15.23-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done
$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.16&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]16[.]\([5-9]\|[1-9][0-9]\)$' | while read VERSION; do sed "s/4.16.4/${VERSION}/" blocked-edges/4.16.4-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done

I'm not aware of PromQL for "what version NodePools are attached to this cluster?", but if that PromQL does exist, it would likely reduce the scope of matching clusters considerably.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jewzaam
Copy link
Member

jewzaam commented Aug 30, 2024

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 30, 2024
@wking wking force-pushed the HyperShiftNodePoolSkewBinaryDownload branch 2 times, most recently from 0584e44 to 9c1bc35 Compare August 30, 2024 18:05
@wking
Copy link
Member Author

wking commented Aug 30, 2024
edited
Loading

Testing my regexps, these all look like they're working the way we want based on the impact statement's:

Which 4.y.z to 4.y'.z' updates increase vulnerability?
Any upgrade of the Hosted Clusters from 4.15.22 or 4.16.3 to 4.15.23+ or 4.16.4+

$ hack/show-edges.py candidate-4.15 | grep ' 4[.]15[.]24' | sort -V
4.14.16 -(risks: HyperShiftKubeAPIPort443, HyperShiftNodePoolSkewBinaryDownload, OVNIPsecPausedMCPConnectivity)-> 4.15.24
...
4.14.33 -(risks: HyperShiftKubeAPIPort443, HyperShiftNodePoolSkewBinaryDownload, OVNIPsecPausedMCPConnectivity)-> 4.15.24
4.15.0 -(risks: HyperShiftKubeAPIPort443, HyperShiftNodePoolSkewBinaryDownload)-> 4.15.24
...
4.15.22 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.15.24
4.15.23 -> 4.15.24
$ hack/show-edges.py candidate-4.16 | grep ' 4[.]16[.]5$' | sort -V
4.15.18 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.5
...
4.15.22 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.5
4.15.23 -> 4.16.5
4.15.24 -> 4.16.5
4.16.0 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.5
...
4.16.3 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.5
4.16.4 -> 4.16.5
$ hack/show-edges.py candidate-4.16 | grep ' 4[.]16[.]10$' | sort -V
4.15.18 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.10
...
4.15.22 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.10
4.15.23 -> 4.16.10
...
4.15.30 -> 4.16.10
4.16.0 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.10
...
4.16.3 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.10
4.16.4 -> 4.16.10
...
4.16.9 -> 4.16.10

@sdodson
Copy link
Member

sdodson commented Aug 30, 2024

/hold
Just an additional vote for waiting to move this forward.

@wking
blocked-edges/*HyperShiftNodePoolSkewBinaryDownload: Declare new risk…
84e4462 
… for 4.15.(z>=23) and 4.16.(z>=4)

Generated by writing the 4.15.23 an 4.16.4 files by hand and copying
them out with:

  $ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.15&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]15[.]\(2[4-9]\|[3-9][0-9]\)$' | while read VERSION; do sed "s/4.15.23/${VERSION}/" blocked-edges/4.15.23-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done
  $ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.16&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]16[.]\([5-9]\|[1-9][0-9]\)$' | while read VERSION; do sed "s/4.16.4/${VERSION}/" blocked-edges/4.16.4-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done

I'm not aware of PromQL for "what version NodePools are attached to
this cluster?", but if that PromQL does exist, it would likely reduce
the scope of matching clusters considerably.
@wking
blocked-edges/*-HyperShiftNodePoolSkewBinaryDownload: Fixed in 4.16.1…
24a3907 
…1 and 4.15.31

https://issues.redhat.com/browse/OCPBUGS-39447?focusedId=25555670&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-25555670
https://issues.redhat.com/browse/OCPBUGS-39463?focusedId=25552747&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-25552747
@wking wking force-pushed the HyperShiftNodePoolSkewBinaryDownload branch from 9c1bc35 to 24a3907 Compare September 13, 2024 22:46
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 13, 2024

@wking: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LalatenduMohanty LalatenduMohanty Awaiting requested review from LalatenduMohanty

@petr-muller petr-muller Awaiting requested review from petr-muller

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wking @openshift-ci-robot @jewzaam @sdodson