Bug 1756453 - User upgrading a cluster from 4.1 to 4.2 before official release may bypass security protection
Summary: User upgrading a cluster from 4.1 to 4.2 before official release may bypass s...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.3.0
Assignee: Clayton Coleman
QA Contact: liujia
Depends On:
Blocks: 1756454 1756458
TreeView+ depends on / blocked
Reported: 2019-09-27 17:05 UTC by Clayton Coleman
Modified: 2020-05-13 21:25 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1756454 (view as bug list)
Last Closed: 2020-05-13 21:25:48 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift oc pull 109 0 'None' closed Bug 1756453: Separate upgrade flags for safety instead of abusing force 2021-02-02 11:54:16 UTC
Red Hat Product Errata RHBA-2020:0062 0 None None None 2020-05-13 21:25:52 UTC

Description Clayton Coleman 2019-09-27 17:05:07 UTC
Users are allowed (and in pre-prod environments, encouraged) to upgrade clusters to versions that may not be in a stable channel. In addition, between minor versions of the product (4.1 and 4.2) edges may not be created in the stable channel, but we want users to try it out.

To try that out today requires `oc adm upgrade --force` which bypasses signature verification and introduces a security risk.  The CLI really should not force that choice on users, and in 4.3 we anticipate adding additional checks that have nothing to do with that behavior.

For 4.1 and 4.2 we should split the --force flag in oc adm upgrade to only apply to server override, and use more specific flags for client side override (--allow-explicit-upgrade for using --to-image, and --allow-unsafe-upgrade for bypassing cluster version failure and upgrade in progress).

Comment 2 liujia 2019-10-16 09:47:45 UTC
Verified on 4.3.0-0.nightly-2019-10-15-225018

1. check for --allow-upgrade-with-warnings
1) install 4.3.0-0.nightly-2019-10-15-180816
2) upgrade to one of available update
# oc adm upgrade --to 4.3.0-0.nightly-2019-10-15-225018 --force
Updating to 4.3.0-0.nightly-2019-10-15-225018
# oc adm upgrade
info: An upgrade is in progress. Working towards 4.3.0-0.nightly-2019-10-15-225018: 17% complete


VERSION                           IMAGE
4.3.0-0.nightly-2019-10-16-030711 registry.svc.ci.openshift.org/ocp/release@sha256:d9321c99e6b04acd82e86e714b6ded47d406fbc64aed483b13939b8e84167f9c
3) upgrade to one of available update of 4.3.0-0.nightly-2019-10-15-225018
# oc adm upgrade --to 4.3.0-0.nightly-2019-10-16-030711
error: Already upgrading, pass --allow-upgrade-with-warnings to override.

  Message: Working towards 4.3.0-0.nightly-2019-10-15-225018: 17% complete
4) add required variable
# oc adm upgrade --to 4.3.0-0.nightly-2019-10-16-030711 --allow-upgrade-with-warnings
Updating to 4.3.0-0.nightly-2019-10-16-030711

2. check for --allow-explicit-upgrade
1) initial version 4.3.0-0.nightly-2019-10-15-225018
2) upgrade to a payload not in available update
# oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.3.0-0.nightly-2019-10-16-010826 --force
error: The requested upgrade image is not one of the available updates, you must pass --allow-explicit-upgrade to continue
3) add required variable
# oc adm upgrade --to-image registry.svc.ci.openshift.org/ocp/release:4.3.0-0.nightly-2019-10-16-010826 --force --allow-explicit-upgrade
Updating to release image registry.svc.ci.openshift.org/ocp/release:4.3.0-0.nightly-2019-10-16-010826

Comment 4 errata-xmlrpc 2020-05-13 21:25:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.