Bug 1756454

Summary: User upgrading a cluster from 4.1 to 4.2 before official release may bypass security protection
Product: OpenShift Container Platform Reporter: Clayton Coleman <ccoleman>
Component: ocAssignee: Clayton Coleman <ccoleman>
Status: CLOSED ERRATA QA Contact: Mike Fiedler <mifiedle>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.2.zCC: aos-bugs, jiajliu, jokerman, mfojtik, mifiedle, scuppett, wking, xtian, yinzhou
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1756453
: 1756458 (view as bug list) Environment:
Last Closed: 2019-10-16 06:41:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1756453    
Bug Blocks: 1756458    

Description Clayton Coleman 2019-09-27 17:06:20 UTC 
+++ This bug was initially created as a clone of Bug #1756453 +++

Users are allowed (and in pre-prod environments, encouraged) to upgrade clusters to versions that may not be in a stable channel. In addition, between minor versions of the product (4.1 and 4.2) edges may not be created in the stable channel, but we want users to try it out.

To try that out today requires `oc adm upgrade --force` which bypasses signature verification and introduces a security risk.  The CLI really should not force that choice on users, and in 4.3 we anticipate adding additional checks that have nothing to do with that behavior.

For 4.1 and 4.2 we should split the --force flag in oc adm upgrade to only apply to server override, and use more specific flags for client side override (--allow-explicit-upgrade for using --to-image, and --allow-unsafe-upgrade for bypassing cluster version failure and upgrade in progress).
Comment 3 Mike Fiedler 2019-10-07 15:52:20 UTC 
Verified with client from 4.2.0-0.nightly-2019-10-07-011045

- upgraded to image not in graph with --to-image and --allow-explicit-upgrade
- upgraded with upgrade in progress with --allow-upgrade-with-warnings
- upgraded to unsigned payload with --to-image and --force
Comment 5 errata-xmlrpc 2019-10-16 06:41:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922