cincinnati-graph-data icon indicating copy to clipboard operation
cincinnati-graph-data copied to clipboard
verified publisher icon openshift

HOSTEDCP-1941: blocked-edges/*HyperShiftNodePoolSkewBinaryDownload: Declare new risk for 4.15.(z>=23) and 4.16.(z>=4)

Open wking opened this issue 1 year ago • 9 comments

Generated by writing the 4.15.23 an 4.16.4 files by hand and copying them out with:

$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.15&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]15[.]\(2[4-9]\|[3-9][0-9]\)$' | while read VERSION; do sed "s/4.15.23/${VERSION}/" blocked-edges/4.15.23-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done
$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.16&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]16[.]\([5-9]\|[1-9][0-9]\)$' | while read VERSION; do sed "s/4.16.4/${VERSION}/" blocked-edges/4.16.4-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done

I'm not aware of PromQL for "what version NodePools are attached to this cluster?", but if that PromQL does exist, it would likely reduce the scope of matching clusters considerably.

wking avatar Aug 30 '24 16:08 wking

@wking: This pull request references HOSTEDCP-1941 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set.

In response to this:

Generated by writing the 4.15.23 an 4.16.4 files by hand and copying them out with:

$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.15&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]15[.]\(2[4-9]\|[3-9][0-9]\)$' | while read VERSION; do sed "s/4.15.23/${VERSION}/" blocked-edges/4.15.23-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done
$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.16&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]16[.]\([5-9]\|[1-9][0-9]\)$' | while read VERSION; do sed "s/4.16.4/${VERSION}/"
blocked-edges/4.16.4-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done

I'm not aware of PromQL for "what version NodePools are attached to this cluster?", but if that PromQL does exist, it would likely reduce the scope of matching clusters considerably.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Aug 30 '24 16:08 openshift-ci-robot

/hold waiting for HyperShift folks to post an impact statement to https://issues.redhat.com/browse/HOSTEDCP-1941 , in case I'm misunderstanding exposure

wking avatar Aug 30 '24 16:08 wking

The impact statement is populated in HOSTEDCP-1941.

/hold cancel

wking avatar Aug 30 '24 17:08 wking

@wking: This pull request references HOSTEDCP-1941 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set.

In response to this:

Generated by writing the 4.15.23 an 4.16.4 files by hand and copying them out with:

$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.15&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]15[.]\(2[4-9]\|[3-9][0-9]\)$' | while read VERSION; do sed "s/4.15.23/${VERSION}/" blocked-edges/4.15.23-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done
$ curl -s 'https://api.openshift.com/api/upgrades_info/graph?channel=candidate-4.16&arch=amd64' | jq -r '.nodes[] | .version' | grep '^4[.]16[.]\([5-9]\|[1-9][0-9]\)$' | while read VERSION; do sed "s/4.16.4/${VERSION}/" blocked-edges/4.16.4-HyperShiftNodePoolSkewBinaryDownload.yaml > "blocked-edges/${VERSION}-HyperShiftNodePoolSkewBinaryDownload.yaml"; done

I'm not aware of PromQL for "what version NodePools are attached to this cluster?", but if that PromQL does exist, it would likely reduce the scope of matching clusters considerably.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Aug 30 '24 17:08 openshift-ci-robot

/hold

jewzaam avatar Aug 30 '24 17:08 jewzaam

Testing my regexps, these all look like they're working the way we want based on the impact statement's:

Which 4.y.z to 4.y'.z' updates increase vulnerability? Any upgrade of the Hosted Clusters from 4.15.22 or 4.16.3 to 4.15.23+ or 4.16.4+

$ hack/show-edges.py candidate-4.15 | grep ' 4[.]15[.]24' | sort -V
4.14.16 -(risks: HyperShiftKubeAPIPort443, HyperShiftNodePoolSkewBinaryDownload, OVNIPsecPausedMCPConnectivity)-> 4.15.24
...
4.14.33 -(risks: HyperShiftKubeAPIPort443, HyperShiftNodePoolSkewBinaryDownload, OVNIPsecPausedMCPConnectivity)-> 4.15.24
4.15.0 -(risks: HyperShiftKubeAPIPort443, HyperShiftNodePoolSkewBinaryDownload)-> 4.15.24
...
4.15.22 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.15.24
4.15.23 -> 4.15.24
$ hack/show-edges.py candidate-4.16 | grep ' 4[.]16[.]5$' | sort -V
4.15.18 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.5
...
4.15.22 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.5
4.15.23 -> 4.16.5
4.15.24 -> 4.16.5
4.16.0 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.5
...
4.16.3 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.5
4.16.4 -> 4.16.5
$ hack/show-edges.py candidate-4.16 | grep ' 4[.]16[.]10$' | sort -V
4.15.18 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.10
...
4.15.22 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.10
4.15.23 -> 4.16.10
...
4.15.30 -> 4.16.10
4.16.0 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.10
...
4.16.3 -(risks: HyperShiftNodePoolSkewBinaryDownload)-> 4.16.10
4.16.4 -> 4.16.10
...
4.16.9 -> 4.16.10

wking avatar Aug 30 '24 18:08 wking

/hold Just an additional vote for waiting to move this forward.

sdodson avatar Aug 30 '24 18:08 sdodson

/hold cancel Trevor has amended process docs to say that we'll no longer pursue these until we believe that there's value in doing so on HCP clusters. But given that's already happened here sure lets go ahead with this one.

sdodson avatar Nov 18 '24 17:11 sdodson

/lgtm

sdodson avatar Nov 19 '24 15:11 sdodson

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sdodson, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Nov 19 '24 15:11 openshift-ci[bot]

@wking: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Nov 19 '24 16:11 openshift-ci[bot]