diff --git a/blocked-edges/4.14.0-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..f5bd0a4b3 --- /dev/null +++ b/blocked-edges/4.14.0-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-ec.0-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-ec.0-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..b8a681287 --- /dev/null +++ b/blocked-edges/4.14.0-ec.0-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-ec.0 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-ec.1-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-ec.1-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..6b3b92bad --- /dev/null +++ b/blocked-edges/4.14.0-ec.1-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-ec.1 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-ec.2-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-ec.2-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..27df05645 --- /dev/null +++ b/blocked-edges/4.14.0-ec.2-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-ec.2 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-ec.3-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-ec.3-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..e23ae0dd3 --- /dev/null +++ b/blocked-edges/4.14.0-ec.3-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-ec.3 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-ec.4-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-ec.4-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..d0100f4a3 --- /dev/null +++ b/blocked-edges/4.14.0-ec.4-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-ec.4 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-rc.0-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-rc.0-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..6ae14004f --- /dev/null +++ b/blocked-edges/4.14.0-rc.0-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-rc.0 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-rc.1-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-rc.1-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..25dddf96f --- /dev/null +++ b/blocked-edges/4.14.0-rc.1-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-rc.1 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-rc.2-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-rc.2-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..f5c2f9264 --- /dev/null +++ b/blocked-edges/4.14.0-rc.2-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-rc.2 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-rc.3-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-rc.3-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..0783fd77a --- /dev/null +++ b/blocked-edges/4.14.0-rc.3-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-rc.3 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-rc.4-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-rc.4-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..3612882ad --- /dev/null +++ b/blocked-edges/4.14.0-rc.4-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-rc.4 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-rc.5-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-rc.5-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..b18c570f6 --- /dev/null +++ b/blocked-edges/4.14.0-rc.5-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-rc.5 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-rc.6-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-rc.6-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..ced8eec84 --- /dev/null +++ b/blocked-edges/4.14.0-rc.6-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-rc.6 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.0-rc.7-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.0-rc.7-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..4a7aa4584 --- /dev/null +++ b/blocked-edges/4.14.0-rc.7-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.0-rc.7 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.1-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.1-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..f2c31688e --- /dev/null +++ b/blocked-edges/4.14.1-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.1 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.10-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.10-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..5a0bb31bf --- /dev/null +++ b/blocked-edges/4.14.10-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.10 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.11-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.11-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..13051617c --- /dev/null +++ b/blocked-edges/4.14.11-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.11 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.12-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.12-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..d9f5db931 --- /dev/null +++ b/blocked-edges/4.14.12-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.12 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.13-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.13-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..a1421a1e7 --- /dev/null +++ b/blocked-edges/4.14.13-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.13 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.14-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.14-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..53ebb4e94 --- /dev/null +++ b/blocked-edges/4.14.14-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.14 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.15-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.15-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..c15d0c791 --- /dev/null +++ b/blocked-edges/4.14.15-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.15 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.16-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.16-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..921867caf --- /dev/null +++ b/blocked-edges/4.14.16-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.16 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.17-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.17-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..b2e5fa3d6 --- /dev/null +++ b/blocked-edges/4.14.17-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.17 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.18-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.18-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..cb9b7bd4a --- /dev/null +++ b/blocked-edges/4.14.18-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.18 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.19-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.19-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..e4a860f6f --- /dev/null +++ b/blocked-edges/4.14.19-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.19 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.2-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.2-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..570ade939 --- /dev/null +++ b/blocked-edges/4.14.2-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.2 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.20-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.20-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..6950b1708 --- /dev/null +++ b/blocked-edges/4.14.20-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.20 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.21-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.21-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..63a25b6db --- /dev/null +++ b/blocked-edges/4.14.21-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.21 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.22-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.22-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..05312ae8e --- /dev/null +++ b/blocked-edges/4.14.22-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.22 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.23-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.23-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..2e32185da --- /dev/null +++ b/blocked-edges/4.14.23-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.23 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.24-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.24-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..80b3a0f32 --- /dev/null +++ b/blocked-edges/4.14.24-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.24 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.25-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.25-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..451811ec3 --- /dev/null +++ b/blocked-edges/4.14.25-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.25 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.26-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.26-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..62e5df333 --- /dev/null +++ b/blocked-edges/4.14.26-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.26 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.27-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.27-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..27c5e21bc --- /dev/null +++ b/blocked-edges/4.14.27-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.27 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.28-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.28-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..1a3036da7 --- /dev/null +++ b/blocked-edges/4.14.28-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.28 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.3-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.3-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..259780333 --- /dev/null +++ b/blocked-edges/4.14.3-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.3 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.4-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.4-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..1fe64d0b6 --- /dev/null +++ b/blocked-edges/4.14.4-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.4 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.5-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.5-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..6f9835b57 --- /dev/null +++ b/blocked-edges/4.14.5-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.5 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.6-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.6-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..6ba616c05 --- /dev/null +++ b/blocked-edges/4.14.6-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.6 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.7-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.7-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..68a6a7f15 --- /dev/null +++ b/blocked-edges/4.14.7-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.7 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.8-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.8-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..0c8e327d3 --- /dev/null +++ b/blocked-edges/4.14.8-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.8 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h])) diff --git a/blocked-edges/4.14.9-OVNInterConnectTransitionIPsec.yaml b/blocked-edges/4.14.9-OVNInterConnectTransitionIPsec.yaml new file mode 100644 index 000000000..0fa199ce6 --- /dev/null +++ b/blocked-edges/4.14.9-OVNInterConnectTransitionIPsec.yaml @@ -0,0 +1,16 @@ +to: 4.14.9 +from: 4[.]13[.].* +url: https://issues.redhat.com/browse/SDN-4871 +name: OVNInterConnectTransitionIPsec +message: OVN clusters with IPsec enabled may have a window during the update to 4.14 where pod-to-node and node-to-node traffic is not encrypted. +matchingRules: +- type: PromQL + promql: + promql: | + group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "enabled", "", "") == 1) + or on (_id) + 0 * group by (ipsec) (label_replace(max_over_time(ovnkube_master_ipsec_enabled{_id=""}[1h]), "ipsec", "disabled", "", "")) + or on (_id) + -1 * group by (resource) (max_over_time(apiserver_storage_objects{_id="",resource="egressips.k8s.ovn.org"}[1h])) + or on (_id) + 0 * group(max_over_time(apiserver_storage_objects{_id=""}[1h]))