Skip to content

OCPBUGS-61679: pkg:add missing safe sysctls to list of SafeSysctlAllowlist #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-4.20
Choose a base branch
from
Open

OCPBUGS-61679: pkg:add missing safe sysctls to list of SafeSysctlAllowlist #149

wants to merge 1 commit into from

Conversation

jubittajohn
Copy link
Contributor

@jubittajohn jubittajohn commented Sep 15, 2025
edited
Loading

As part of Kubernetes v1.32, several sysctls [1] have been added to the SafeSysctlAllowlist. However, that list has not yet been updated in OCP. This change addresses that issue.

[1] https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#safe-and-unsafe-sysctls

This is a manual cherry-pick of #148

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 15, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 15, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@jubittajohn jubittajohn force-pushed the 4.20-update-safed-sysctl branch from 0357dbe to 5f1f9f1 Compare September 15, 2025 19:28
@jubittajohn jubittajohn changed the title pkg:add missing safe sysctls to list of SafeSysctlAllowlist OCPBUGS-61679: pkg:add missing safe sysctls to list of SafeSysctlAllowlist Sep 15, 2025
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Sep 15, 2025
@openshift-ci-robot
Copy link

@jubittajohn: This pull request references Jira Issue OCPBUGS-61679, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

As part of Kubernetes v1.32, several sysctls [1] have been added to the SafeSysctlAllowlist. However, that list has not yet been updated in OCP. This change addresses that issue.

[1] https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#safe-and-unsafe-sysctls

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jubittajohn
Copy link
Contributor Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Sep 16, 2025
@openshift-ci-robot
Copy link

@jubittajohn: This pull request references Jira Issue OCPBUGS-61679, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-58313 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
  • dependent Jira Issue OCPBUGS-58313 targets the "4.21.0" version, which is one of the valid target versions: 4.21.0
  • bug has dependents

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Sep 16, 2025
@openshift-ci openshift-ci bot requested a review from xingxingxia September 16, 2025 18:17
@jubittajohn jubittajohn marked this pull request as ready for review September 16, 2025 18:17
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 16, 2025
@openshift-ci openshift-ci bot requested review from deads2k and ibihim September 16, 2025 18:18
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 16, 2025

@jubittajohn: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci-robot
Copy link

@jubittajohn: This pull request references Jira Issue OCPBUGS-61679, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.0) matches configured target version for branch (4.20.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-58313 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
  • dependent Jira Issue OCPBUGS-58313 targets the "4.21.0" version, which is one of the valid target versions: 4.21.0
  • bug has dependents

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

As part of Kubernetes v1.32, several sysctls [1] have been added to the SafeSysctlAllowlist. However, that list has not yet been updated in OCP. This change addresses that issue.

[1] https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#safe-and-unsafe-sysctls

This is a manual cherry-pick of #148

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@bertinatto
Copy link
Member

/lgtm
/label backport-risk-assessed

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 16, 2025

@bertinatto: Can not set label backport-risk-assessed: Must be member in one of these teams: [openshift-patch-managers openshift-release-oversight openshift-staff-engineers openshift-sustaining-engineers]

In response to this:

/lgtm
/label backport-risk-assessed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 16, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 16, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bertinatto, jubittajohn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 16, 2025
@xingxingxia
Copy link

/verified later @xingxingxia

@openshift-ci-robot openshift-ci-robot added verified-later verified Signifies that the PR passed pre-merge verification criteria labels Sep 17, 2025
@openshift-ci-robot
Copy link

@xingxingxia: This PR has been marked to be verified later by @xingxingxia.

In response to this:

/verified later @xingxingxia

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

benluddy
benluddy reviewed Sep 18, 2025
View reviewed changes
pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go
func getSafeSysctlAllowlist(getVersion func() (*version.Version, error)) []string {
safeSysctlAllowlist := slices.Clone(legacySafeSysctls)

kernelVersion, err := getVersion()
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pod SCC admission will be executing on a control plane node in a kube-apiserver process, and this is reading the local kernel version. Don't we want admission to consider the kernel version on the Node that the Pod is assigned to?

/hold

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@benluddy / @jubittajohn anything I can help you two out to push https://issues.redhat.com/browse/OCPBUGS-61679 further?

as for this comment specifically, I think there is no way besides a webhook or node object inspection to figure this out. Do we really need this validation?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tjungblu
Linking the discussion thread here: https://redhat-internal.slack.com/archives/CC3CZCQHM/p1758217953650509.
The main output of the discussion was to admit a sysctl if atleast one worker node supports it, and to add e2e test to capture the behavior.
#151 - Linking the draft PR I have with a slightly different approach which gets the minimum kernel version across currently available worker nodes. Not yet tested against a cluster or covered by unit tests.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xingxingxia xingxingxia Awaiting requested review from xingxingxia

@deads2k deads2k Awaiting requested review from deads2k

@ibihim ibihim Awaiting requested review from ibihim

2 more reviewers

@benluddy benluddy benluddy left review comments

@tjungblu tjungblu tjungblu left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@bertinatto bertinatto

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria verified-later

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@jubittajohn @openshift-ci-robot @bertinatto @xingxingxia @benluddy @tjungblu