Bug 1834858
Summary: | Old SG rules created by CNO on Kuryr bootstrap not removed on upgrade | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Michał Dulko <mdulko> |
Component: | Networking | Assignee: | Michał Dulko <mdulko> |
Networking sub component: | kuryr | QA Contact: | GenadiC <gcheresh> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | high | ||
Priority: | urgent | CC: | gcheresh, juriarte, ltomasbo, rlobillo |
Version: | 4.3.z | Keywords: | UpcomingSprint |
Target Milestone: | --- | ||
Target Release: | 4.3.z | ||
Hardware: | All | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: cluster-network-operator on Kuryr bootstrapping had no logic to remove deprecated security group rules when they get replaced by new ones.
Consequence: On OCP upgrade the old SG rules were left on the SGs meaning that tightening them to increase security was not done on environments upgraded between 4.3.z releases.
Fix: The fix is to make sure CNO is removing old security group rules.
Result: The SG rules get removed, on 4.3.z upgrade pods are correctly getting the access to host VMs restricted.
|
Story Points: | --- |
Clone Of: | 1832899 | Environment: | |
Last Closed: | 2020-05-27 17:00:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1832899 | ||
Bug Blocks: |
Comment 3
rlobillo
2020-05-20 10:02:44 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2184 |