Bug 1730401: prevent automatic upgrades for clusters with cluster operators reporting Upgradeable false

[abhinavdahiya]

/cc @smarterclayton @wking

[smarterclayton]

How many preflight types can't / shouldn't be handled by putting code in the CVO?

[abhinavdahiya]

I would like to keep this list small to only necessary. because these checks only help if the current knows how to provide safety for next upgrade, while a better and long term solution should be the desired knows how to check those on current's state..

But i also see that the we don't provide any mechanism for clusteroperators to define their own preflight in any other location.. And if we end up being in a situation where we aren't at a place where these are defined by operators in their/some other repo, and we need to add a check to provide safety for an upgrade.. we might have to make more room.

So i don't have a great differentiating line for you currently..

[smarterclayton]

Why is this here? equalUpdate should already ignore version

[abhinavdahiya]

It's the force. this check !equalUpdate is always true if the update has force: true even if the release image is the same.

So this function conditional is always activated even in case of reconcile.

Seems like the reason we were seeing the Downloading update during CI runs, in the middle of upgrade.

[smarterclayton]

Can you add a test for that case?

[abhinavdahiya]

@smarterclayton added the test case in f0a07b8

here's how the test fails:

[11:57:05] ➜  cluster-version-operator git:(feature-prevent-upgrade) ✗ git --no-pager diff
diff --git a/pkg/cvo/sync_worker.go b/pkg/cvo/sync_worker.go
index e27ffc2..a863743 100644
--- a/pkg/cvo/sync_worker.go
+++ b/pkg/cvo/sync_worker.go
@@ -466,7 +466,7 @@ func (w *SyncWorker) syncOnce(ctx context.Context, work *SyncWork, maxWorkers in

        // cache the payload until the release image changes
        validPayload := w.payload
-       if validPayload == nil || !equalUpdate(configv1.Update{Image: validPayload.ReleaseImage}, configv1.Update{Image: update.Image}) {
+       if validPayload == nil || !equalUpdate(configv1.Update{Image: validPayload.ReleaseImage}, update) {
                klog.V(4).Infof("Loading payload")
                reporter.Report(SyncWorkerStatus{
                        Generation:  work.Generation,
[11:57:13] ➜  cluster-version-operator git:(feature-prevent-upgrade) ✗ go test ./pkg/cvo/... -v -run "^TestCVO_UpgradeUnverifiedPayloadRetriveOnce"
=== RUN   TestCVO_UpgradeUnverifiedPayloadRetriveOnce
E0829 11:57:19.271703    7584 sync_worker.go:322] unable to synchronize image (waiting 62.5ms): The update cannot be verified: some random error
--- FAIL: TestCVO_UpgradeUnverifiedPayloadRetriveOnce (0.50s)
    cvo_scenarios_test.go:1335: unexpected status item 0:
        object.Step:
          a: "ApplyResources"
          b: "RetrievePayload"
        object.VersionHash:
          a: "6GC9TkkG9PA="
          b: ""
FAIL
FAIL    github.com/openshift/cluster-version-operator/pkg/cvo   0.514s
testing: warning: no tests to run
PASS
ok      github.com/openshift/cluster-version-operator/pkg/cvo/internal  (cached) [no tests to run]
?       github.com/openshift/cluster-version-operator/pkg/cvo/internal/dynamicclient    [no test files]

[smarterclayton]

I really don't think force should be used in this case. --force bypasses security checks on content, I think we'd need to do a new force type.

[abhinavdahiya]

https://github.com/openshift/api/blob/58aab2885e38fd7f4fd57f2615f5f9fe38039e22/config/v1/types_cluster_version.go#L209-L218

// force allows an administrator to update to an image that has failed
// verification, does not appear in the availableUpdates list, or otherwise
// would be blocked by normal protections on update. This option should only
// be used when the authenticity of the provided image has been verified out
// of band because the provided image will run with full administrative access
// to the cluster. Do not use this flag with images that comes from unknown
// or potentially malicious sources.
//
// This flag does not override other forms of consistency checking that are
// required before a new update is deployed.

not appear in the availableUpdates list, or otherwise would be blocked by normal protections on update.
This flag does not override other forms of consistency checking that are required before a new update is deployed.

Sooo, with our current documentation, the following line allows admins to use force to override any protections on update and not consistency checks..

I think the preflight checks like the override protection,techpreview and custom noupgrade feature fall more in to protections bucket rather than the consistencies.

And I agree force is a big hammer, but https://bugzilla.redhat.com/show_bug.cgi?id=1730401 is a 4.2 blocker and i would not like to introduce any additions this late in the cycle. So putting this into force for now seems an option.

But i agree that we should 4.2+ think about allowing users to skip only some protections these become more important in auto upgrade. like disconnected people would maybe like to switch off only verify content and while others might want to only skip feature-flags..

but the current proposal of force being the big hammer today does not block moving to future with smaller hammers..?

[smarterclayton]

Yeah, I think the size of the hammer is mostly concerned with encouraging use of the hammer. Since this is going to be rare, I think it's ok to allow it without an API change in 4.2.

However, we may need to record in some form whether the hammer was used to assess whether an upgrade was bypassed.

[sdodson]

A way to record the state of all COs at the time that --force was used would be nice to have in any future work.

[sdodson]

/retitle Bug 1730401: WIP: cvo: prevent automatic upgrades for clusters that have un-supported feature gates set

[openshift-ci-robot]

@abhinavdahiya: This pull request references Bugzilla bug 1730401, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Bug 1730401: WIP: cvo: prevent automatic upgrades for clusters that have un-supported feature gates set

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[abhinavdahiya]

I think I have all the tests I thought are important added.
ping @smarterclayton and @wking as it should be ready for review.

[smarterclayton]

I'm somewhat confused because I thought we said this week in various forums we weren't going to block upgrades on the server, but maybe I missed the discussion where this became critical.

[smarterclayton]

I expected a preflight checking cluster operator condition Upgradeable == false. This one actually probably already covers features, although having a features message is... ok, I guess. If KAO is already setting Upgradeable false on feature set we don't need anything feature specific and so CVO is only driven by CO.

[abhinavdahiya]

So the goal is to prevent upgrades when features are set..

the precondition upgradeable == false preventing upgrades personally I think needs more thought and testing to make sure the operators are no missusing before we add is important. So I don't think we should be doing it.

KAO already setting a uprageable = false on features is great, but I think depending on that wouldn't be ideal as mentioned above, and also depends on KAO always respecting that :P I think it's better if CVO does it.

[abhinavdahiya]

^^ ping @smarterclayton

[smarterclayton]

Most of our components ALREADY report Upgradeable false

[smarterclayton]

I expected this PR to summarize an Upgradeable condition - ideally before a user ever upgrades. The current structure can't easily do that (and there are advantages to having preflight check coming on the new code), but for instance we could summarize all CO Upgradeable conditions and display a message, so someone knows where to look.

That simplifies CLI and web console experience (sam doesn't have to go read all CO, we get a consistent message and experience).

[abhinavdahiya]

I expected this PR to summarize an Upgradeable condition - ideally before a user ever upgrades.

That would be a long running syncer, and I don't think it's great to add that at this time.

The current structure can't easily do that (and there are advantages to having preflight check coming on the new code),

The current structures goal is to prevent upgrades, the long running syncer doesn't do that.. even if we add the long running syncer, we still needs this code to check the precondition before cvo accepts the upgrade. So I think the syncer to provide the Upgradeable condition is orthogonal to this, and perhaps when we add that later on, the precondition could use that as another check??

[abhinavdahiya]

^^ ping @smarterclayton

[smarterclayton]

That would be a long running syncer, and I don't think it's great to add that at this time.

I don't understand why. You just have to summarize the state.

Blocking without reporting seems unacceptable to me. I should know up top whether upgrades should even work.

I think the miscommunication / gap here is that we already have an implemented mechanism for reporting "Don't upgrade me" as Upgradable false since 4.1 GA, but this is targeting other checks which are much more specific / tied to implementation. We may need to have a higher bandwidth conversation on that, but the generic condition is better at isolating CVO from details, and behaves exactly like degraded in that sense.

[smarterclayton]

Is there another word we would use besides Preflight? UpgradePreconditionCheckFailed

[abhinavdahiya]

done with a5500d3

[smarterclayton]

this didn't get submitted earlier

[abhinavdahiya]

@smarterclayton added the long running upgradeable reporting sync 35c4299

and updated the preflights to single check if upgradeable...

PTAL if this looks better.

[abhinavdahiya]

@smarterclayton updated the PR to address your comments.

[smarterclayton]

/retest

[smarterclayton]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [abhinavdahiya,smarterclayton]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@abhinavdahiya: All pull requests linked via external trackers have merged. Bugzilla bug 1730401 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1730401: prevent automatic upgrades for clusters with cluster operators reporting Upgradeable false

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.