OpenShift Cluster Upgrade breaks the cluster when upgrading ≤4.12 to 4.13+ with FIPS enabled or custom MachineConfigs are used.
Issue
- The
OpenShift Upgradefails withnodeinNotReady,SchedulingDisabledstatus while doing upgrade from ≤ 4.12 to 4.13+ whileFIPSenabled or customMachineConfigare used for services likeOpenSSLorOpenSSH.
# oc get nodes
NAME STATUS ROLES AGE VERSION
master0.ocp.example.com NotReady,SchedulingDisabled master 574d v1.26.14+03ee898
master1.ocp.example.com Ready master 574d v1.26.14+03ee898
master2.ocp.example.com Ready master 574d v1.26.14+03ee898
- The
kubeletservice fails to start onNotReadynode with errorFIPS mode is enabled, but the required OpenSSL backend is unavailableas,
Apr 15 07:20:15 master0.ocp.example.com kubenswrapper[2692]: FIPS mode is enabled, but the required OpenSSL backend is unavailable
Apr 15 07:20:15 master0.ocp.example.com systemd[1]: kubelet.service: Main process exited, code=exited, status=1/FAILURE
Apr 15 07:20:15 master0.ocp.example.com systemd[1]: kubelet.service: Failed with result 'exit-code'
- The
sshdservice fails to start with errorBad configuration option: CRYPTO_POLICYas,
master0.ocp.example.com systemd[1]: Stopped OpenSSH server daemon.
master0.ocp.example.com systemd[1]: Starting OpenSSH server daemon...
master0.ocp.example.com sshd[397714]:
master0.ocp.example.com sshd[401448]: /etc/crypto-policies/back-ends/opensshserver.config: line 1: Bad configuration option: CRYPTO_POLICY
master0.ocp.example.com sshd[401448]: /etc/crypto-policies/back-ends/opensshserver.config: terminating, 1 bad configuration options
master0.ocp.example.com systemd[1]: sshd.service: Main proces
Environment
- Red Hat OpenShift Container Platform ≤4.12 to 4.13+
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
