Block edges to 4.3.8 through 4.3.12 on DefaultSecurityContextConstraints_Mutated #184
Conversation
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
Hmm, this will create a gap where 4.3.0 cannot upgrade to 4.3.13. Need to consider what to do there. |
|
This will also raise the minimum version to upgrade from 4.2 to 4.3 from 4.2.21 to 4.2.29 which is undesirable but not unworkable. Which currently moves us from ~ 26% of the 4.2 fleet to < 1%. This could be mitigated by ensuring that 4.3.14 includes upgrades back to 4.2.21 but this seems like we're stretching and would introduce additional confusion. |
Should just be 4.2.{current} -> 4.2.29 -> 4.3, which doesn't seem that bad? Even from 4.2.0, it would be 4.2.0 -> 4.2.13 -> 4.2.21 -> 4.2.29 -> 4.3, so still just one extra hop. |
So we should include 4.3.0 in 4.3.14. |
sdodson
force-pushed
the
block-4.3.8-through-4.3.12
branch
from
d7b57ec to
b019810
Compare
4.3.8 introduced a change which blocks upgrades when the default SCCs are mutated. That change was merged under the assumption that the CVO would not block z-stream upgrades on that condition. However that change had not merged yet and thus ~40% of clusters which have upgraded to 4.3.8-4.3.12 are now blocked from upgrading with out specifying the --force flag. 4.3.13 relaxes the Upgradeable=False such that you can now apply z-stream updates when that condition is set. 4.3.14 will revert the change which began setting that condition. Because the majority of subscribed clusters had already upgraded into this problem and because of the numerous previously blocked upgrades we had decided to live with the problem until 4.3.13 ships. So once 4.3.13 is promoted into stable-4.3 we should stop additional clusters from falling into the problem.
sdodson
force-pushed
the
block-4.3.8-through-4.3.12
branch
from
b019810 to
3be2bd2
Compare
|
/lgtm Just need to wait on #176, or as close to that landing as we feel we need to get so we can land this without ruffling feathers about "where did my update go?". I'm personally fine landing this today, even if lots of folks are already up in the affected versions, because waiting a few days for #176 to land doesn't seem like a big deal. But I also understand that 4.2 -> 4.3 connectivity has not been great so far, and that there are clusters out there who have not mutated their default MCCs. Speaking of which: /retitle Block edges to 4.3.8 through 4.3.12 on DefaultSecurityContextConstraints_Mutated should make it a bit easier to find this in the Git logs. |
openshift-ci-robot
changed the title
|
Still holding on this until we work through some decisions internally. |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: eparis, sdodson, wking The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
5 participants
4.3.8 introduced a change which blocks upgrades when the default SCCs are
mutated. That change was merged under the assumption that the CVO would not
block z-stream upgrades on that condition. However that change had not
merged yet and thus ~40% of clusters which have upgraded to 4.3.8-4.3.12
are now blocked from upgrading with out specifying the --force flag. 4.3.13
relaxes the Upgradeable=False such that you can now apply z-stream updates
when that condition is set. A future update, likely 4.3.14 will revert the change
which began setting that condition.
Because the slim majority of subscribed clusters had already upgraded into
this problem and because of the numerous previously blocked upgrades we
had decided to live with the problem until 4.3.13 ships. So once 4.3.13 is
promoted into stable-4.3 we should stop additional clusters from falling
into the problem.
Reference https://bugzilla.redhat.com/show_bug.cgi?id=1821905#c22