Bug 2074839 - [4.10.z] NetworkPolicy tests are failing on metal IPv6
Summary: [4.10.z] NetworkPolicy tests are failing on metal IPv6
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.10
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.10.z
Assignee: Derek Higgins
QA Contact: Anurag saxena
: 2076371 (view as bug list)
Depends On: 2074844
Blocks: CVE-2022-1677 2076373 2077369
TreeView+ depends on / blocked
Reported: 2022-04-13 08:44 UTC by Derek Higgins
Modified: 2022-05-13 07:47 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2072547
: 2077369 (view as bug list)
Last Closed: 2022-05-11 10:31:47 UTC
Target Upstream Version:
rpittau: needinfo-

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 1043 0 None Merged Bug 2074839: [release-4.10] fix ipv6 network policy 2022-04-28 10:13:52 UTC
Red Hat Product Errata RHBA-2022:1690 0 None None None 2022-05-11 10:32:12 UTC

Comment 1 W. Trevor King 2022-04-27 22:23:11 UTC
Bug 2076809 was closed as a dup of bug 2077370.  Bug 2077370 is a backport of this one.  We only need UpgradeBlocker tracked in one bug in the series, and I'm picking this one as the dev-branch-most that is tied to specific pull requests.  Per [1], we're asking the following questions to evaluate whether or not this bug warrants changing update recommendations from either the previous X.Y or X.Y.Z. The ultimate goal is to avoid delivering an update which introduces new risk or reduces cluster functionality in any way. Sample answers are provided to give more context and the ImpactStatementRequested label has been added to this bug. When responding, please remove ImpactStatementRequested and set the ImpactStatementProposed label. The expectation is that the assignee answers these questions.

Which 4.y.z to 4.y'.z' updates increase vulnerability? Which types of clusters?
* reasoning: This allows us to populate from, to, and matchingRules in conditional update recommendations [2] for "the $SOURCE_RELEASE to $TARGET_RELEASE update is not recommended for clusters like $THIS".
* example: Customers upgrading from 4.y.Z to 4.y+1.z running on GCP with thousands of namespaces, approximately 5% of the subscribed fleet. Check your vulnerability with oc ... or the following PromQL count (...) > 0.
* example: All customers upgrading from 4.y.z to 4.y+1.z fail. Check your vulnerability with oc adm upgrade to show your current cluster version.

What is the impact? Is it serious enough to warrant removing update recommendations?
* reasoning: This allows us to populate name and message in conditional update recommendations [2] for "...because if you update, $THESE_CONDITIONS may cause $THESE_UNFORTUNATE_SYMPTOMS".
* example: Around 2 minute disruption in edge routing for 10% of clusters. Check with oc ....
* example: Up to 90 seconds of API downtime. Check with curl ....
* example: etcd loses quorum and you have to restore from backup. Check with ssh ....

How involved is remediation?
* reasoning: This allows administrators who are already vulnerable, or who chose to waive conditional-update risks, to recover their cluster. And even moderately serious impacts might be acceptable if they are easy to mitigate.
* example: Issue resolves itself after five minutes.
* example: Admin can run a single: oc ....
* example: Admin must SSH to hosts, restore from backups, or other non standard admin activities.

Is this a regression?
* reasoning: Updating between two vulnerable releases may not increase exposure (unless rebooting during the update increases vulnerability, etc.). We only qualify update recommendations if the update increases exposure.
* example: No, it has always been like this we just never noticed.
* example: Yes, from 4.y.z to 4.y+1.z Or 4.y.z to 4.y.z+1.

[1]: https://github.com/openshift/enhancements/blob/master/enhancements/update/update-blocker-lifecycle/README.md#impact-statement-request
[2]: https://github.com/openshift/cincinnati-graph-data/tree/0335e56cde6b17230106f137382cbbd9aa5038ed#block-edges

Comment 6 errata-xmlrpc 2022-05-11 10:31:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.10.13 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 7 Lalatendu Mohanty 2022-05-11 20:13:18 UTC
Dropping the upgradeblocker as we are not planning to block 4.9 to 4.10 upgrade edges.

Comment 8 Sam Fowler 2022-05-13 07:47:14 UTC
*** Bug 2076371 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.