RHBA-2019:0788 - Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 3.9.78 is now available with
updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 3.9.78. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2019:0789

This update fixes the following bugs:

• The build container was running with the incorrect label. This bug is now fixed by launching the container with the correct security context. (BZ#1550015)
• The `Automation Broker` always created a network policy to give the transient namespace access to the target namespace. Adding a network policy to a namespace that did not have any other network policies in place caused the namespace to be locked down to the newly created policy. The `Automation Broker` now checks if there are any network policies in place for the target namespace. If there are none, the broker will not create a new network policy. The broker will assume that things are open enough to allow the transient namespace we create to communicate with the target namespace. The broker will still create a network policy giving the transient namespace access to the target namespace, if there are other network policies in place for the target namespace. This bug fix allows the broker to perform the APB actions without affecting existing services running on the target namespace. (BZ#1613280)
• The node system container did not properly mount `/var/lib/iscsi` as read/write. Now, the `iscsi` mounts correctly with read/write permissions. (BZ#1686266)
• Using `MERGE_JSON_LOG=true` would create fields in the record that would cause syntax violations or create too many fields in `Elasticsearch`, causing severe performance problems. Now, users who experience these problems can tune `fluentd` to accommodate their log record fields without errors or `Elasticsearch` performance degradation. (BZ#1686947)
• `oc cp` commands were not checking links from tar files used to copy files between pods and user's workstations. The `oc cp` command could cause a directory traversal and replace or delete files on a user's workstation. Now, escaping links are not permitted. As a result, the `oc cp` command verifies files copied between pods and workstations without allowing escape from directories. (BZ#1693320)
• Egreess routers were set up so that it was impossible for an egress router pod to connect to the public IP address of the node it was hosted on. If an egress pod was configured to use it's node as a nameserver, it would be unable to perform a DNS resolution. Now, traffic from an egress router pod to it's node is now routed via the SDN tunnel instead of sending it via the egress interface. As a result, egress routers can now connect to their node's public IP address and DNS resolves correctly, regardless of the configuration. (BZ#1698136)

All OpenShift Container Platform 3.9 users are advised to upgrade to these
updated packages.

Solution

Before applying this update, ensure all previously released errata relevant to your system are applied.

See the following documentation, which will be updated shortly for release 3.9.78, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 3.9 x86_64

Fixes

• BZ - 1420235 - usage of oc logs -h need update
• BZ - 1429788 - ")" is missing in output of oc describe nodes
• BZ - 1463717 - ebs volume stuck on other instance
• BZ - 1508107 - [pro][pro-us-east-1] Error attaching EBS volume: VolumeInUse
• BZ - 1550015 - [free-int] Failed to pull image when creating apps in free-int
• BZ - 1613280 - Provisioning two APB services temporarily broke networking in the namespace
• BZ - 1645143 - iptables-restore on RHEL 7.6 and OCP doesn't work properly
• BZ - 1686266 - [3.9] Failed to mount iscsi on atomic host
• BZ - 1686947 - Allow MERGE_JSON_LOG=true for indexing of JSON payload fields
• BZ - 1688642 - Metrics Installation adds wrong and not complete list of secrets to serviceaccount [3.9.z]
• BZ - 1693036 - Fluentd doesn't output it's logs to STDOUT when LOGGING_FILE_PATH=console
• BZ - 1698136 - [3.9] Egress Router HTTP Proxy cannot reach the node which router pod runs

CVEs

(none)

References

(none)