Bug 1756453

Summary: User upgrading a cluster from 4.1 to 4.2 before official release may bypass security protection
Product: OpenShift Container Platform Reporter: Clayton Coleman <ccoleman>
Component: ocAssignee: Clayton Coleman <ccoleman>
Status: CLOSED ERRATA QA Contact: liujia <jiajliu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: aos-bugs, esimard, jokerman, mfojtik, xxia
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1756454 (view as bug list) Environment:
Last Closed: 2020-05-13 21:25:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1756454, 1756458    

Description Clayton Coleman 2019-09-27 17:05:07 UTC 
Users are allowed (and in pre-prod environments, encouraged) to upgrade clusters to versions that may not be in a stable channel. In addition, between minor versions of the product (4.1 and 4.2) edges may not be created in the stable channel, but we want users to try it out.

To try that out today requires `oc adm upgrade --force` which bypasses signature verification and introduces a security risk.  The CLI really should not force that choice on users, and in 4.3 we anticipate adding additional checks that have nothing to do with that behavior.

For 4.1 and 4.2 we should split the --force flag in oc adm upgrade to only apply to server override, and use more specific flags for client side override (--allow-explicit-upgrade for using --to-image, and --allow-unsafe-upgrade for bypassing cluster version failure and upgrade in progress).
Comment 2 liujia 2019-10-16 09:47:45 UTC 
Verified on 4.3.0-0.nightly-2019-10-15-225018

1. check for --allow-upgrade-with-warnings
1) install 4.3.0-0.nightly-2019-10-15-180816
2) upgrade to one of available update
# oc adm upgrade --to 4.3.0-0.nightly-2019-10-15-225018 --force
Updating to 4.3.0-0.nightly-2019-10-15-225018
# oc adm upgrade
info: An upgrade is in progress. Working towards 4.3.0-0.nightly-2019-10-15-225018: 17% complete

Updates:

VERSION                           IMAGE
4.3.0-0.nightly-2019-10-16-030711 registry.svc.ci.openshift.org/ocp/release@sha256:d9321c99e6b04acd82e86e714b6ded47d406fbc64aed483b13939b8e84167f9c
3) upgrade to one of available update of 4.3.0-0.nightly-2019-10-15-225018
# oc adm upgrade --to 4.3.0-0.nightly-2019-10-16-030711
error: Already upgrading, pass --allow-upgrade-with-warnings to override.

  Reason: 
  Message: Working towards 4.3.0-0.nightly-2019-10-15-225018: 17% complete
4) add required variable
# oc adm upgrade --to 4.3.0-0.nightly-2019-10-16-030711 --allow-upgrade-with-warnings
Updating to 4.3.0-0.nightly-2019-10-16-030711

2. check for --allow-explicit-upgrade
1) initial version 4.3.0-0.nightly-2019-10-15-225018
2) upgrade to a payload not in available update
# oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.3.0-0.nightly-2019-10-16-010826 --force
error: The requested upgrade image is not one of the available updates, you must pass --allow-explicit-upgrade to continue
3) add required variable
# oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.3.0-0.nightly-2019-10-16-010826 --force --allow-explicit-upgrade
Updating to release image registry.svc.ci.openshift.org/ocp/release:4.3.0-0.nightly-2019-10-16-010826
Comment 4 errata-xmlrpc 2020-05-13 21:25:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062