Skip to content

Instantly share code, notes, and snippets.

@shaneboulden

shaneboulden/all vulnerability reports

Created May 3, 2023 05:25
Show Gist options
  • Save shaneboulden/8b49ab24eacd5d753c0db3ae3a00870a to your computer and use it in GitHub Desktop.
Save shaneboulden/8b49ab24eacd5d753c0db3ae3a00870a to your computer and use it in GitHub Desktop.
Download ZIP
Quay Container Security Operator output
Raw
all vulnerability reports
oc get vuln --all-namespaces
NAMESPACE NAME AGE
openshift-addon-operator sha256.568dca2e685ef0725703c389154bbc15b6c842ea016bb4be9d7c43fbc37102ef 84m
openshift-addon-operator sha256.baedb268ac66456018fb30af395bb3d69af5fff3252ff5d549f0231b1ebb6901 84m
openshift-addon-operator sha256.f67d69aa6281411d0e4c9d59e1973e28a8a35a414a5fbbccfef11b40e7f31a2d 84m
openshift-apiserver-operator sha256.36635ca93cae2396f15444c45ff27e07a3ee3f800c2a582e63874f104e6cf4ce 82m
openshift-apiserver sha256.0fb1dd2851c75894d0fe3240c3b1f99231c468f56bd7d4e894ad1cf9a40fe6ab 82m
openshift-apiserver sha256.1f61e726390f9ef5f5a77ccc8c4d7b1686cdf4faebc2eb5e1eeefa51241df32c 82m
openshift-authentication-operator sha256.85a4a2ca225bbef5509cd020c322826fc93d99e7ebb768dad6c28bb5f1f0e8d3 80m
openshift-authentication sha256.ab3a5ef78441be9f06f8570baa1aa418f91c2ac7a0e4d3fe76e5d222264e24ff 80m
openshift-cloud-controller-manager-operator sha256.da70e365542d4e5451ea0c1bd0c9b89be7d831faa073639ce554849fcccc934f 82m
openshift-cloud-credential-operator sha256.77476b5bbc5457a63663f2cc89e75bce777899731edced2d01f0ebde1ed1dfde 80m
openshift-cloud-credential-operator sha256.b5fb8d9b5c4b415bc7749554c9b518a0d6e2d86516ff770b08b202bacea967c6 80m
openshift-cloud-credential-operator sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 80m
openshift-cloud-network-config-controller sha256.bcccb5d19122cdb424cc2d005a18285e5d9942d907b1af08faa29afb6561c2b4 82m
openshift-cluster-csi-drivers sha256.1cc27acf025129ba49eaa07c466fa7d66b435e5ee2788459c6ad366ffba0e739 83m
openshift-cluster-csi-drivers sha256.3d72b11a6bc4efbcad2bda5c692b1013d4922ac81b828153395aff336c57b5b0 83m
openshift-cluster-csi-drivers sha256.543c476b5ab938c3901d716ee2b80d3297c60963f5db2dd8349626380d9a3626 83m
openshift-cluster-csi-drivers sha256.6915ca4859a1f7bc7600fcfe8daeb2c3f4f6dc689bc4215c6fcb210355e44d60 81m
openshift-cluster-csi-drivers sha256.b6ffae89d0b3b801d5e84c3326a0baeb8de491b3cd4559075c5257b2847df2b2 83m
openshift-cluster-csi-drivers sha256.bf51c44c3e74e41905bf999a506270f12c1223941195d21f8accad8039e0ede9 83m
openshift-cluster-csi-drivers sha256.dedf1b125b7a5c8eef8ec37d231c5146ac10d15c91663fec04d49414ad5394fc 83m
openshift-cluster-csi-drivers sha256.fae64db69f0d08d71e9ee1d44d7ff1dfb315d6d1201aa9b6942ea8fb8d744aac 83m
openshift-cluster-csi-drivers sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 84m
openshift-cluster-machine-approver sha256.4c0558c6cea9d0eb6a61aaa2f8f6db65b49b80b594e73dd94610eb36705bc677 83m
openshift-cluster-machine-approver sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 83m
openshift-cluster-node-tuning-operator sha256.1d5496486c05b10a4ab2d9f3ff89945005eb260a3081b67449b937050de27070 84m
openshift-cluster-samples-operator sha256.1a209cfa61f070cb781255f6b57f4c7788706f2b4d61d7f2a854070c8f43c074 80m
openshift-cluster-storage-operator sha256.00edcfebbe259dd67b37487972850061829e9f513e2fa6ad921c9a760d7ccc75 82m
openshift-cluster-storage-operator sha256.5b37c747e679a1423ad98e850e18c3b4f08c3cd95dd37339ed9bae05f5e8d30a 83m
openshift-cluster-storage-operator sha256.794a37b6f8c7c7df00e6e18f22f60a952b3fe12d2f1f1d19c45973978f3590fb 83m
openshift-cluster-storage-operator sha256.ce91cf24be031b27459919f56e6d21b2d06bc3401966466630721aa5b4d6db92 82m
openshift-cluster-version sha256.b9d6ccb5ba5a878141e468e56fa62912ad7c04864acfec0c0056d2b41e3259cc 81m
openshift-config-operator sha256.426ee4d32e9bc19a5b7522cc06908b7f1a14b90410924ea4f24d0c189c06f3c0 82m
openshift-console-operator sha256.314c7a79fd217a380905c65cefbc5451b47d8a1cf2c0111150ed24baddd913c3 81m
openshift-console sha256.7bfa750d43225e8539b4c15511b7b943fcc244e7802bf907983416430dc5b9ee 83m
openshift-console sha256.ee45434f6223cf71eab1c19cbdd739adaa04aa2b0f033e2db48480060cf84a2f 83m
openshift-controller-manager-operator sha256.00c72a08082b831ef35713c2feb3ff6e65ff1fa5250af35dd03d9a0d4f915723 81m
openshift-controller-manager sha256.b963214f14897cb4b880d45165a13955c11f263ff47aeefb8bec71e2b71be406 82m
openshift-custom-domains-operator sha256.1af868a6e39a5e8c7ac0e0b3b5041331131ceaa743420a07e6588e9296debf7b 81m
openshift-deployment-validation-operator sha256.0391f724ce3bf0c9ae74853af3782de050f56cb7ae512da801cc4f680e8949db 82m
openshift-dns-operator sha256.f2a50c562ed8eef2af4d08c070e0791fb59dbb6216e94e9b97581a8124a185f9 84m
openshift-dns-operator sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 84m
openshift-dns sha256.47c928cdb55f80cb2c2556e798e3b67247bc2da631c82df7c04ed2bd1715ec25 83m
openshift-dns sha256.675d4d6225f3427946e5feeb7636dbde3fbb6c4bc2e88172bc3ae5c630cbd511 83m
openshift-dns sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 83m
openshift-etcd-operator sha256.f89377de600ac9ecd33c72245a49758c179d9fbd13548350b6c98a94bf7f4884 81m
openshift-etcd sha256.d975625ecd0fd64d07d0c68f25057f296f8867f1467e22cf3b05acc2ad839dc9 82m
openshift-etcd sha256.f89377de600ac9ecd33c72245a49758c179d9fbd13548350b6c98a94bf7f4884 83m
openshift-image-registry sha256.4ae98763aa611bf0fbbc194f5186959fb1a3bdf29bb0701a9ec4f5b9553f7cb2 81m
openshift-image-registry sha256.fa3984c16493679d3bea63de9b585df7a3dc3596c9a5106ec5118069c7f6b593 83m
openshift-ingress-canary sha256.de8ebeefa4658664f0659a976124f882cc6356590625280f691eee012bd5396a 82m
openshift-ingress-operator sha256.de8ebeefa4658664f0659a976124f882cc6356590625280f691eee012bd5396a 83m
openshift-ingress-operator sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 83m
openshift-ingress sha256.455f14c36eb6b5d51c515d844053357a53839262c75023a32a2280be97301fe4 81m
openshift-insights sha256.b38843c20d08068783c0d9b3f11f98871e27eb5e1a69c3f64d7af0ee0c69dd13 83m
openshift-kube-apiserver-operator sha256.0fb1dd2851c75894d0fe3240c3b1f99231c468f56bd7d4e894ad1cf9a40fe6ab 83m
openshift-kube-apiserver sha256.0fb1dd2851c75894d0fe3240c3b1f99231c468f56bd7d4e894ad1cf9a40fe6ab 81m
openshift-kube-apiserver sha256.d221830708e0cd86af4faf64ca28a6a4d431edc659ce39632a94dc33f86520af 81m
openshift-kube-controller-manager-operator sha256.d33b9b0cdcaed452faa5c5ff272577c5884e047d2702e67bd1a1e59be70d0b19 82m
openshift-kube-scheduler-operator sha256.8b124b5da734882998aeb03f683bf7d82bbff19f699d14058ab39009cab28bc3 81m
openshift-kube-storage-version-migrator-operator sha256.e57a21e45982200ed54e1e55878ce7d2cc776aefb48f3e57db2ed6992b1e3dc9 81m
openshift-kube-storage-version-migrator sha256.4e71cc0f1a79adfc25ff1549ce24d5cec48d074b63a73634e01da93c5a00c9e9 81m
openshift-machine-api sha256.49e5a07bc5ea22f283774545c5c5f87b0cd6f03e20f4de27cc3aab78f9fdfd5f 82m
openshift-machine-api sha256.ad558842f900c6f7333291efd1b76927bcd394cec89d44533ab4119e71e29d3c 81m
openshift-machine-api sha256.d6e9d22471b90aa55657253c1ca5c97ff8668980f13a20014f4c10e76e92a04e 83m
openshift-machine-api sha256.d7b23b95aadc88016d6f8d9497cbcab009af24d1626e794c2ef07582d699c236 81m
openshift-machine-api sha256.fdbedb5411b60f42a4496c293fcd600b05e5d26f1517bc1753d73c345ee63c8c 83m
openshift-machine-api sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 83m
openshift-machine-config-operator sha256.49affb19635777cf255b74605900210105b724692d0936e6d6d73c9f8c875a32 82m
openshift-machine-config-operator sha256.7c1c281dd127f390fc2377e8d739ca583fdd0d6aaa6d41c55d9171fcbf61f53f 83m
openshift-managed-node-metadata-operator sha256.3cec99dcbc2c716d97b3bdaa4088a652ca567dbe41336bab78eb5b49a0f8126f 82m
openshift-marketplace sha256.4871bfc67f319136bce9d1a64778505b243bbd3f638c61b5138d881c6e7549e0 82m
openshift-monitoring sha256.012458d3d79fdfc744338722fe75d2553ecbf1fa9cc050dd0830696569a0ba36 84m
openshift-monitoring sha256.1848386719cc0afcddd67d5117beb55081ea2ba473dedb55d8c21d2d7bb82485 83m
openshift-monitoring sha256.2cfea2d4855cb5461b312ade2752439d099a00413b7c023438159f71a1265365 81m
openshift-monitoring sha256.3662a32999dcf34b8ec2626b18d13e93680b3d11fd74b50d3d13e91cebc75d2a 84m
openshift-monitoring sha256.40b1732fbbb43e269a0beb38f80b2692ae2f85a795ca8ab85d627210b3c38178 83m
openshift-monitoring sha256.49affb19635777cf255b74605900210105b724692d0936e6d6d73c9f8c875a32 84m
openshift-monitoring sha256.4e62e7ab86e7493d1bc1dec9b2f824d82be25fbd869fa2648e807d6fa58fd371 83m
openshift-monitoring sha256.6ce9b80cd1d907cb6c9ed2a18612f386f7503257772d1d88155a4a2e6773fd00 81m
openshift-monitoring sha256.6db08be93d81d7d37e2abe44a2e431e2591b71e31adea5ea98d053ea3a0ad4d3 83m
openshift-monitoring sha256.71dd3bdcf8258ab466bb46ac264785b139eb43ce139e93b442fc60cd674b793b 82m
openshift-monitoring sha256.97ffae63353c694fe66615679429351a96711cbdeb400555181dea8688a388ea 83m
openshift-monitoring sha256.a4bf6e28f9deed8a0621f24d2141b76b0f3cbcc393f64edb09fd2d116351c727 80m
openshift-monitoring sha256.b9945426d22a0113f678cdd0f73d3674bcbb564ce2bdb90af213bdca78c87ca0 83m
openshift-monitoring sha256.c3550f290ef612d1a51d96bfa23504df456f936753abfe8ae6d17e4c0814c739 84m
openshift-monitoring sha256.dd5ed598424eea2089f125b33fa9cf8309e4fdafc39d305106269ccf4beeba9a 84m
openshift-monitoring sha256.ea6ce9c62e9884538e0ac5370be6dceba9bfb92a7ca4a608fda5f678d6d6ca2d 82m
openshift-monitoring sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 84m
openshift-multus sha256.10e893eacab85b7d767d5cbe8892e1cf2b7e276dc6dfb504b1c105c9935b1e7c 83m
openshift-multus sha256.cf587a0da813d64ed5b1a81c77bdfa2f0cda95ae4277b6584c5195651aac6918 83m
openshift-multus sha256.d5fa719ebe2e48774b532d9162263ba455b87bad0fd507a396a584d9ebad9018 84m
openshift-multus sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 83m
openshift-must-gather-operator sha256.ef8443b2d24047024f8d700aebff0e5334bd5ed4a962eb48b21670d2a89321c3 83m
openshift-network-diagnostics sha256.505d3e8cafad466bc483ee8e9aa78814fce065372b0eb164731f64919881a6d0 84m
openshift-network-operator sha256.505d3e8cafad466bc483ee8e9aa78814fce065372b0eb164731f64919881a6d0 81m
openshift-oauth-apiserver sha256.e1fdf05052a722869dd254d00d26c113fa269d2ccb69c03329b06174a1a3095d 83m
openshift-operator-lifecycle-manager sha256.8d9a9ef64e567c1dc0a2cbf4fd257c6a2e2082f37d11467d112fe060e0654c25 83m
openshift-osd-metrics sha256.552de602a0053c6d887a26f6dee1c3c7fa03b9fd47d52b07a77905f6f88b05fb 82m
openshift-ovn-kubernetes sha256.7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150 83m
openshift-ovn-kubernetes sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 83m
openshift-route-controller-manager sha256.bdb7526832ecada22aad67a4e593d31d5a93887fa51845cd5dfe4f65cffb3214 82m
openshift-service-ca-operator sha256.b25d9d6cf2f69ef64952d4fb550a0d03641c23ba5375754789a92a72ca1d2bdd 83m
openshift-service-ca sha256.b25d9d6cf2f69ef64952d4fb550a0d03641c23ba5375754789a92a72ca1d2bdd 84m
openshift-user-workload-monitoring sha256.1848386719cc0afcddd67d5117beb55081ea2ba473dedb55d8c21d2d7bb82485 83m
openshift-user-workload-monitoring sha256.49affb19635777cf255b74605900210105b724692d0936e6d6d73c9f8c875a32 83m
openshift-user-workload-monitoring sha256.97ffae63353c694fe66615679429351a96711cbdeb400555181dea8688a388ea 83m
openshift-user-workload-monitoring sha256.a4bf6e28f9deed8a0621f24d2141b76b0f3cbcc393f64edb09fd2d116351c727 83m
openshift-user-workload-monitoring sha256.c3550f290ef612d1a51d96bfa23504df456f936753abfe8ae6d17e4c0814c739 83m
openshift-user-workload-monitoring sha256.ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f 83m
openshift-validation-webhook sha256.7de9471e986143badd9f75103104aad3715b9af96445d0b9a3c51c78adde161a 83m
openshift-velero sha256.b0eb496a906aa41c4897a5e9617cad98c06155af72c90c23ccde7d5a9ed0a3b5 84m
Raw
cve-analyzer
go run cmd/cve-analyser/main.go cves.csv
Processing the "cves.csv"...
CVE-2020-36242,openshift-release-dev/ocp-v4.0-art-dev@sha256:ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f,CVE Severity:Moderate,Not Found Any Information
Raw
ovn-kubernetes listing
oc describe vuln --namespace openshift-ovn-kubernetes sha256.7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
Name: sha256.7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
Namespace: openshift-ovn-kubernetes
Labels: openshift-ovn-kubernetes/ovnkube-master-8g5sv=true
openshift-ovn-kubernetes/ovnkube-master-9xxks=true
openshift-ovn-kubernetes/ovnkube-master-gtx28=true
openshift-ovn-kubernetes/ovnkube-node-bs2zx=true
openshift-ovn-kubernetes/ovnkube-node-fvkks=true
openshift-ovn-kubernetes/ovnkube-node-h26ms=true
openshift-ovn-kubernetes/ovnkube-node-h9rbh=true
openshift-ovn-kubernetes/ovnkube-node-k27xx=true
openshift-ovn-kubernetes/ovnkube-node-n88th=true
openshift-ovn-kubernetes/ovnkube-node-vb9nl=true
Annotations: <none>
API Version: secscan.quay.redhat.com/v1alpha1
Kind: ImageManifestVuln
Metadata:
Creation Timestamp: 2023-05-03T03:40:26Z
Generation: 2
Managed Fields:
API Version: secscan.quay.redhat.com/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.:
f:openshift-ovn-kubernetes/ovnkube-master-8g5sv:
f:openshift-ovn-kubernetes/ovnkube-master-9xxks:
f:openshift-ovn-kubernetes/ovnkube-master-gtx28:
f:openshift-ovn-kubernetes/ovnkube-node-bs2zx:
f:openshift-ovn-kubernetes/ovnkube-node-fvkks:
f:openshift-ovn-kubernetes/ovnkube-node-h26ms:
f:openshift-ovn-kubernetes/ovnkube-node-h9rbh:
f:openshift-ovn-kubernetes/ovnkube-node-k27xx:
f:openshift-ovn-kubernetes/ovnkube-node-n88th:
f:openshift-ovn-kubernetes/ovnkube-node-vb9nl:
f:spec:
.:
f:features:
f:image:
f:manifest:
Manager: security-labeller
Operation: Update
Time: 2023-05-03T04:40:36Z
API Version: secscan.quay.redhat.com/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:affectedPods:
.:
f:openshift-ovn-kubernetes/ovnkube-master-8g5sv:
f:openshift-ovn-kubernetes/ovnkube-master-9xxks:
f:openshift-ovn-kubernetes/ovnkube-master-gtx28:
f:openshift-ovn-kubernetes/ovnkube-node-bs2zx:
f:openshift-ovn-kubernetes/ovnkube-node-fvkks:
f:openshift-ovn-kubernetes/ovnkube-node-h26ms:
f:openshift-ovn-kubernetes/ovnkube-node-h9rbh:
f:openshift-ovn-kubernetes/ovnkube-node-k27xx:
f:openshift-ovn-kubernetes/ovnkube-node-n88th:
f:openshift-ovn-kubernetes/ovnkube-node-vb9nl:
f:criticalCount:
f:fixableCount:
f:highCount:
f:highestSeverity:
f:lastUpdate:
f:mediumCount:
Manager: security-labeller
Operation: Update
Subresource: status
Time: 2023-05-03T04:40:36Z
Resource Version: 120946
UID: f5193ef1-ec3c-4a59-8ed7-337b45d26e5b
Spec:
Features:
Name: python3-openvswitch2.17
Version: 2.17.0-62.el8fdp
Vulnerabilities:
Description: Open vSwitch provides standard network bridging functions and support for
the OpenFlow protocol for remote per-flow control of traffic.
Security Fix(es):
* openvswitch: Out-of-Bounds Read in Organization Specific TLV (CVE-2022-4337)
* openvswitch: Integer Underflow in Organization Specific TLV (CVE-2022-4338)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Fixedby: 0:2.17.0-71.el8fdp
Link: https://access.redhat.com/errata/RHSA-2023:0688 https://access.redhat.com/security/cve/CVE-2022-4337 https://access.redhat.com/security/cve/CVE-2022-4338
Metadata: {"UpdatedBy": "RHEL8-fast-datapath", "RepoName": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "RepoLink": null, "DistroName": "Red Hat Enterprise Linux Server", "DistroVersion": "8", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "Score": 9.8}}}
Name: RHSA-2023:0688: openvswitch2.17 security, bug fix and enhancement update (Moderate)
Namespace Name: RHEL8-fast-datapath
Severity: Medium
Description: Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.
Security Fix(es):
* openvswitch: ip proto 0 triggers incorrect handling (CVE-2023-1668)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* [23.C RHEL-8] Fast Datapath Release (BZ#2177685)
* [CT] Inner header of ICMP related traffic does not get DNATed (BZ#2178200)
Fixedby: 0:2.17.0-88.el8fdp
Link: https://access.redhat.com/errata/RHSA-2023:1765 https://access.redhat.com/security/cve/CVE-2023-1668
Metadata: {"UpdatedBy": "RHEL8-fast-datapath", "RepoName": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "RepoLink": null, "DistroName": "Red Hat Enterprise Linux Server", "DistroVersion": "8", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "Score": 8.2}}}
Name: RHSA-2023:1765: openvswitch2.17 security update (Moderate)
Namespace Name: RHEL8-fast-datapath
Severity: Medium
Name: openvswitch2.17-devel
Version: 2.17.0-62.el8fdp
Vulnerabilities:
Description: Open vSwitch provides standard network bridging functions and support for
the OpenFlow protocol for remote per-flow control of traffic.
Security Fix(es):
* openvswitch: Out-of-Bounds Read in Organization Specific TLV (CVE-2022-4337)
* openvswitch: Integer Underflow in Organization Specific TLV (CVE-2022-4338)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Fixedby: 0:2.17.0-71.el8fdp
Link: https://access.redhat.com/errata/RHSA-2023:0688 https://access.redhat.com/security/cve/CVE-2022-4337 https://access.redhat.com/security/cve/CVE-2022-4338
Metadata: {"UpdatedBy": "RHEL8-fast-datapath", "RepoName": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "RepoLink": null, "DistroName": "Red Hat Enterprise Linux Server", "DistroVersion": "8", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "Score": 9.8}}}
Name: RHSA-2023:0688: openvswitch2.17 security, bug fix and enhancement update (Moderate)
Namespace Name: RHEL8-fast-datapath
Severity: Medium
Description: Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.
Security Fix(es):
* openvswitch: ip proto 0 triggers incorrect handling (CVE-2023-1668)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* [23.C RHEL-8] Fast Datapath Release (BZ#2177685)
* [CT] Inner header of ICMP related traffic does not get DNATed (BZ#2178200)
Fixedby: 0:2.17.0-88.el8fdp
Link: https://access.redhat.com/errata/RHSA-2023:1765 https://access.redhat.com/security/cve/CVE-2023-1668
Metadata: {"UpdatedBy": "RHEL8-fast-datapath", "RepoName": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "RepoLink": null, "DistroName": "Red Hat Enterprise Linux Server", "DistroVersion": "8", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "Score": 8.2}}}
Name: RHSA-2023:1765: openvswitch2.17 security update (Moderate)
Namespace Name: RHEL8-fast-datapath
Severity: Medium
Name: pip
Version: 9.0.3
Vulnerabilities:
Description: Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues.
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "Score": 6.5}}}
Name: pyup.io-40291 (CVE-2021-28363)
Namespace Name: pyupio
Severity: Medium
Description: A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "Score": 5.7}}}
Name: pyup.io-42559 (CVE-2021-3572)
Namespace Name: pyupio
Severity: Medium
Description: Pip before 19.2 allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "Score": 7.5}}}
Name: pyup.io-38765 (CVE-2019-20916)
Namespace Name: pyupio
Severity: High
Name: openvswitch2.17
Version: 2.17.0-62.el8fdp
Vulnerabilities:
Description: Open vSwitch provides standard network bridging functions and support for
the OpenFlow protocol for remote per-flow control of traffic.
Security Fix(es):
* openvswitch: Out-of-Bounds Read in Organization Specific TLV (CVE-2022-4337)
* openvswitch: Integer Underflow in Organization Specific TLV (CVE-2022-4338)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Fixedby: 0:2.17.0-71.el8fdp
Link: https://access.redhat.com/errata/RHSA-2023:0688 https://access.redhat.com/security/cve/CVE-2022-4337 https://access.redhat.com/security/cve/CVE-2022-4338
Metadata: {"UpdatedBy": "RHEL8-fast-datapath", "RepoName": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "RepoLink": null, "DistroName": "Red Hat Enterprise Linux Server", "DistroVersion": "8", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "Score": 9.8}}}
Name: RHSA-2023:0688: openvswitch2.17 security, bug fix and enhancement update (Moderate)
Namespace Name: RHEL8-fast-datapath
Severity: Medium
Description: Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.
Security Fix(es):
* openvswitch: ip proto 0 triggers incorrect handling (CVE-2023-1668)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* [23.C RHEL-8] Fast Datapath Release (BZ#2177685)
* [CT] Inner header of ICMP related traffic does not get DNATed (BZ#2178200)
Fixedby: 0:2.17.0-88.el8fdp
Link: https://access.redhat.com/errata/RHSA-2023:1765 https://access.redhat.com/security/cve/CVE-2023-1668
Metadata: {"UpdatedBy": "RHEL8-fast-datapath", "RepoName": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "RepoLink": null, "DistroName": "Red Hat Enterprise Linux Server", "DistroVersion": "8", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "Score": 8.2}}}
Name: RHSA-2023:1765: openvswitch2.17 security update (Moderate)
Namespace Name: RHEL8-fast-datapath
Severity: Medium
Name: urllib3
Version: 1.24.2
Vulnerabilities:
Description: Urllib3 1.26.5 includes a fix for CVE-2021-33503: When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "Score": 7.5}}}
Name: pyup.io-43975 (CVE-2021-33503)
Namespace Name: pyupio
Severity: High
Description: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "Score": 7.2}}}
Name: pyup.io-38834 (CVE-2020-26137)
Namespace Name: pyupio
Severity: High
Name: setuptools
Version: 39.2.0
Vulnerabilities:
Description: Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "Score": 5.9}}}
Name: pyup.io-52495 (CVE-2022-40897)
Namespace Name: pyupio
Severity: Medium
Name: libcurl
Version: 7.61.1-22.el8_6.5
Vulnerabilities:
Description: The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
* curl: HTTP multi-header compression denial of service (CVE-2023-23916)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Fixedby: 0:7.61.1-22.el8_6.6
Link: https://access.redhat.com/errata/RHSA-2023:1842 https://access.redhat.com/security/cve/CVE-2023-23916
Metadata: {"UpdatedBy": "RHEL8-rhel-8.6-eus", "RepoName": "cpe:/o:redhat:rhel_eus:8.6::baseos", "RepoLink": null, "DistroName": "Red Hat Enterprise Linux Server", "DistroVersion": "8", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "Score": 6.5}}}
Name: RHSA-2023:1842: curl security update (Moderate)
Namespace Name: RHEL8-rhel-8.6-eus
Severity: Medium
Name: cryptography
Version: 3.2.1
Vulnerabilities:
Description: Cryptography 39.0.0 drops support for C library "LibreSSL" < 3.4, as these versions are not receiving security support anymore.
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "Score": 5.5}}}
Name: pyup.io-51159 (CVE-2021-41581)
Namespace Name: pyupio
Severity: Medium
Description: Cryptography 3.3.2 includes a fix for CVE-2020-36242: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "Score": 9.1}}}
Name: pyup.io-39606 (CVE-2020-36242)
Namespace Name: pyupio
Severity: Critical
Description: Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.
https://github.com/pyca/cryptography/issues/8229
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "Score": 7.4}}}
Name: pyup.io-53304 (CVE-2023-0286)
Namespace Name: pyupio
Severity: High
Description: Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.
https://github.com/pyca/cryptography/issues/8229
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "Score": 5.9}}}
Name: pyup.io-53303 (CVE-2022-4304)
Namespace Name: pyupio
Severity: Medium
Description: Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.
https://github.com/pyca/cryptography/issues/8229
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "Score": 7.5}}}
Name: pyup.io-53302 (CVE-2023-0216)
Namespace Name: pyupio
Severity: High
Description: Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.
https://github.com/pyca/cryptography/issues/8229
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "Score": 7.5}}}
Name: pyup.io-53299 (CVE-2022-4450)
Namespace Name: pyupio
Severity: High
Description: Cryptography 39.0.1 includes a fix for CVE-2022-3996, a DoS vulnerability affecting openssl.
https://github.com/pyca/cryptography/issues/7940
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "Score": 7.5}}}
Name: pyup.io-53298 (CVE-2022-3996)
Namespace Name: pyupio
Severity: High
Description: Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.
https://github.com/pyca/cryptography/issues/8229
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "Score": 4.9}}}
Name: pyup.io-53301 (CVE-2022-4203)
Namespace Name: pyupio
Severity: Medium
Description: Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.
https://github.com/pyca/cryptography/issues/8229
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "Score": 7.5}}}
Name: pyup.io-53306 (CVE-2023-0217)
Namespace Name: pyupio
Severity: High
Description: Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.
https://github.com/pyca/cryptography/issues/8229
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "Score": 7.5}}}
Name: pyup.io-53307 (CVE-2023-0401)
Namespace Name: pyupio
Severity: High
Description: Cryptography 39.0.1 updates its dependency 'OpenSSL' to v3.0.8 to include security fixes.
https://github.com/pyca/cryptography/issues/8229
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "Score": 7.5}}}
Name: pyup.io-53305 (CVE-2023-0215)
Namespace Name: pyupio
Severity: High
Description: Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8.
https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
Metadata: {"UpdatedBy": "pyupio", "RepoName": "pypi", "RepoLink": "https://pypi.org/simple", "DistroName": "", "DistroVersion": "", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "Score": 6.5}}}
Name: pyup.io-53048 (CVE-2023-23931)
Namespace Name: pyupio
Severity: Medium
Name: curl
Version: 7.61.1-22.el8_6.5
Vulnerabilities:
Description: The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
* curl: HTTP multi-header compression denial of service (CVE-2023-23916)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Fixedby: 0:7.61.1-22.el8_6.6
Link: https://access.redhat.com/errata/RHSA-2023:1842 https://access.redhat.com/security/cve/CVE-2023-23916
Metadata: {"UpdatedBy": "RHEL8-rhel-8.6-eus", "RepoName": "cpe:/o:redhat:rhel_eus:8.6::baseos", "RepoLink": null, "DistroName": "Red Hat Enterprise Linux Server", "DistroVersion": "8", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "Score": 6.5}}}
Name: RHSA-2023:1842: curl security update (Moderate)
Namespace Name: RHEL8-rhel-8.6-eus
Severity: Medium
Name: openvswitch2.17-ipsec
Version: 2.17.0-62.el8fdp
Vulnerabilities:
Description: Open vSwitch provides standard network bridging functions and support for
the OpenFlow protocol for remote per-flow control of traffic.
Security Fix(es):
* openvswitch: Out-of-Bounds Read in Organization Specific TLV (CVE-2022-4337)
* openvswitch: Integer Underflow in Organization Specific TLV (CVE-2022-4338)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Fixedby: 0:2.17.0-71.el8fdp
Link: https://access.redhat.com/errata/RHSA-2023:0688 https://access.redhat.com/security/cve/CVE-2022-4337 https://access.redhat.com/security/cve/CVE-2022-4338
Metadata: {"UpdatedBy": "RHEL8-fast-datapath", "RepoName": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "RepoLink": null, "DistroName": "Red Hat Enterprise Linux Server", "DistroVersion": "8", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "Score": 9.8}}}
Name: RHSA-2023:0688: openvswitch2.17 security, bug fix and enhancement update (Moderate)
Namespace Name: RHEL8-fast-datapath
Severity: Medium
Description: Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.
Security Fix(es):
* openvswitch: ip proto 0 triggers incorrect handling (CVE-2023-1668)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* [23.C RHEL-8] Fast Datapath Release (BZ#2177685)
* [CT] Inner header of ICMP related traffic does not get DNATed (BZ#2178200)
Fixedby: 0:2.17.0-88.el8fdp
Link: https://access.redhat.com/errata/RHSA-2023:1765 https://access.redhat.com/security/cve/CVE-2023-1668
Metadata: {"UpdatedBy": "RHEL8-fast-datapath", "RepoName": "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "RepoLink": null, "DistroName": "Red Hat Enterprise Linux Server", "DistroVersion": "8", "NVD": {"CVSSv3": {"Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "Score": 8.2}}}
Name: RHSA-2023:1765: openvswitch2.17 security update (Moderate)
Namespace Name: RHEL8-fast-datapath
Severity: Medium
Image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256
Manifest: sha256:7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
Status:
Affected Pods:
openshift-ovn-kubernetes/ovnkube-master-8g5sv:
openshift-ovn-kubernetes/ovnkube-master-9xxks:
openshift-ovn-kubernetes/ovnkube-master-gtx28:
openshift-ovn-kubernetes/ovnkube-node-bs2zx:
openshift-ovn-kubernetes/ovnkube-node-fvkks:
openshift-ovn-kubernetes/ovnkube-node-h26ms:
openshift-ovn-kubernetes/ovnkube-node-h9rbh:
openshift-ovn-kubernetes/ovnkube-node-k27xx:
openshift-ovn-kubernetes/ovnkube-node-n88th:
openshift-ovn-kubernetes/ovnkube-node-vb9nl:
Critical Count: 1
Fixable Count: 10
High Count: 10
Highest Severity: Critical
Last Update: 2023-05-03 04:40:36.268208241 +0000 UTC
Medium Count: 17
Events: <none>
Raw
pod description
oc get pods -n openshift-ovn-kubernetes ovnkube-node-bs2zx -o yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
networkoperator.openshift.io/ip-family-mode: single-stack
creationTimestamp: "2023-05-03T02:33:56Z"
generateName: ovnkube-node-
labels:
app: ovnkube-node
component: network
controller-revision-hash: 7d4cb86d8c
kubernetes.io/os: linux
openshift.io/component: network
pod-template-generation: "1"
type: infra
name: ovnkube-node-bs2zx
namespace: openshift-ovn-kubernetes
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: DaemonSet
name: ovnkube-node
uid: 1112e06a-6eb7-4524-8b94-e7bfb6083ab2
resourceVersion: "52268"
uid: 6b6c5ec9-8860-42f3-a798-443ce04b529d
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchFields:
- key: metadata.name
operator: In
values:
- ip-10-66-101-254.ap-southeast-2.compute.internal
containers:
- command:
- /bin/bash
- -c
- "set -e\nif [[ -f \"/env/${K8S_NODE}\" ]]; then\n set -o allexport\n source
\"/env/${K8S_NODE}\"\n set +o allexport\nfi \n\necho \"$(date -Iseconds) -
starting ovn-controller\"\nexec ovn-controller unix:/var/run/openvswitch/db.sock
-vfile:off \\\n --no-chdir --pidfile=/var/run/ovn/ovn-controller.pid \\\n --syslog-method=\"null\"
\\\n --log-file=/var/log/ovn/acl-audit-log.log \\\n -vFACILITY:\"local0\"
\\\n -p /ovn-cert/tls.key -c /ovn-cert/tls.crt -C /ovn-ca/ca-bundle.crt \\\n
\ -vconsole:\"${OVN_LOG_LEVEL}\" -vconsole:\"acl_log:off\" \\\n -vPATTERN:console:\"%D{%Y-%m-%dT%H:%M:%S.###Z}|%05N|%c%T|%p|%m\"
\\\n -vsyslog:\"acl_log:info\" \\\n -vfile:\"acl_log:info\"\n"
env:
- name: OVN_LOG_LEVEL
value: info
- name: K8S_NODE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
imagePullPolicy: IfNotPresent
name: ovn-controller
resources:
requests:
cpu: 10m
memory: 300Mi
securityContext:
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run/openvswitch
name: run-openvswitch
- mountPath: /run/ovn/
name: run-ovn
- mountPath: /etc/openvswitch
name: etc-openvswitch
- mountPath: /etc/ovn/
name: etc-openvswitch
- mountPath: /var/lib/openvswitch
name: var-lib-openvswitch
- mountPath: /env
name: env-overrides
- mountPath: /ovn-cert
name: ovn-cert
- mountPath: /ovn-ca
name: ovn-ca
- mountPath: /var/log/ovn
name: node-log
- mountPath: /dev/log
name: log-socket
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-5p5mc
readOnly: true
- command:
- /bin/bash
- -c
- "set -euo pipefail\n\n# Rotate audit log files when then get to max size (in
bytes)\nMAXFILESIZE=$(( \"50\"*1000000 )) \nLOGFILE=/var/log/ovn/acl-audit-log.log\nCONTROLLERPID=$(cat
/run/ovn/ovn-controller.pid)\n\n# Redirect err to null so no messages are shown
upon rotation\ntail -F ${LOGFILE} 2> /dev/null &\n\nwhile true\ndo\n # Make
sure ovn-controller's logfile exists, and get current size in bytes \n if [
-f \"$LOGFILE\" ]; then \n file_size=`du -b ${LOGFILE} | tr -s '\\t' ' '
| cut -d' ' -f1`\n else \n ovs-appctl -t /var/run/ovn/ovn-controller.${CONTROLLERPID}.ctl
vlog/reopen\n file_size=`du -b ${LOGFILE} | tr -s '\\t' ' ' | cut -d' ' -f1`\n
\ fi \n \n if [ $file_size -gt $MAXFILESIZE ];then\n echo \"Rotating OVN
ACL Log File\"\n timestamp=`date '+%Y-%m-%dT%H-%M-%S'`\n mv ${LOGFILE}
/var/log/ovn/acl-audit-log.$timestamp.log\n ovs-appctl -t /run/ovn/ovn-controller.${CONTROLLERPID}.ctl
vlog/reopen\n CONTROLLERPID=$(cat /run/ovn/ovn-controller.pid)\n fi\n\n
\ # sleep for 30 seconds to avoid wasting CPU \n sleep 30 \ndone\n"
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
imagePullPolicy: IfNotPresent
name: ovn-acl-logging
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/log/ovn
name: node-log
- mountPath: /run/ovn/
name: run-ovn
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-5p5mc
readOnly: true
- command:
- /bin/bash
- -c
- |
#!/bin/bash
set -euo pipefail
TLS_PK=/etc/pki/tls/metrics-cert/tls.key
TLS_CERT=/etc/pki/tls/metrics-cert/tls.crt
# As the secret mount is optional we must wait for the files to be present.
# The service is created in monitor.yaml and this is created in sdn.yaml.
# If it isn't created there is probably an issue so we want to crashloop.
retries=0
TS=$(date +%s)
WARN_TS=$(( ${TS} + $(( 20 * 60)) ))
HAS_LOGGED_INFO=0
log_missing_certs(){
CUR_TS=$(date +%s)
if [[ "${CUR_TS}" -gt "WARN_TS" ]]; then
echo $(date -Iseconds) WARN: ovn-node-metrics-cert not mounted after 20 minutes.
elif [[ "${HAS_LOGGED_INFO}" -eq 0 ]] ; then
echo $(date -Iseconds) INFO: ovn-node-metrics-cert not mounted. Waiting one hour.
HAS_LOGGED_INFO=1
fi
}
while [[ ! -f "${TLS_PK}" || ! -f "${TLS_CERT}" ]] ; do
log_missing_certs
sleep 5
done
echo $(date -Iseconds) INFO: ovn-node-metrics-certs mounted, starting kube-rbac-proxy
exec /usr/bin/kube-rbac-proxy \
--logtostderr \
--secure-listen-address=:9103 \
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
--upstream=http://127.0.0.1:29103/ \
--tls-private-key-file=${TLS_PK} \
--tls-cert-file=${TLS_CERT}
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f
imagePullPolicy: IfNotPresent
name: kube-rbac-proxy
ports:
- containerPort: 9103
hostPort: 9103
name: https
protocol: TCP
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/pki/tls/metrics-cert
name: ovn-node-metrics-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-5p5mc
readOnly: true
- command:
- /bin/bash
- -c
- |
#!/bin/bash
set -euo pipefail
TLS_PK=/etc/pki/tls/metrics-cert/tls.key
TLS_CERT=/etc/pki/tls/metrics-cert/tls.crt
# As the secret mount is optional we must wait for the files to be present.
# The service is created in monitor.yaml and this is created in sdn.yaml.
# If it isn't created there is probably an issue so we want to crashloop.
retries=0
TS=$(date +%s)
WARN_TS=$(( ${TS} + $(( 20 * 60)) ))
HAS_LOGGED_INFO=0
log_missing_certs(){
CUR_TS=$(date +%s)
if [[ "${CUR_TS}" -gt "WARN_TS" ]]; then
echo $(date -Iseconds) WARN: ovn-node-metrics-cert not mounted after 20 minutes.
elif [[ "${HAS_LOGGED_INFO}" -eq 0 ]] ; then
echo $(date -Iseconds) INFO: ovn-node-metrics-cert not mounted. Waiting one hour.
HAS_LOGGED_INFO=1
fi
}
while [[ ! -f "${TLS_PK}" || ! -f "${TLS_CERT}" ]] ; do
log_missing_certs
sleep 5
done
echo $(date -Iseconds) INFO: ovn-node-metrics-certs mounted, starting kube-rbac-proxy
exec /usr/bin/kube-rbac-proxy \
--logtostderr \
--secure-listen-address=:9105 \
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
--upstream=http://127.0.0.1:29105/ \
--tls-private-key-file=${TLS_PK} \
--tls-cert-file=${TLS_CERT}
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f
imagePullPolicy: IfNotPresent
name: kube-rbac-proxy-ovn-metrics
ports:
- containerPort: 9105
hostPort: 9105
name: https
protocol: TCP
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/pki/tls/metrics-cert
name: ovn-node-metrics-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-5p5mc
readOnly: true
- command:
- /bin/bash
- -c
- |
set -xe
if [[ -f "/env/${K8S_NODE}" ]]; then
set -o allexport
source "/env/${K8S_NODE}"
set +o allexport
fi
cp -f /usr/libexec/cni/ovn-k8s-cni-overlay /cni-bin-dir/
ovn_config_namespace=openshift-ovn-kubernetes
echo "I$(date "+%m%d %H:%M:%S.%N") - disable conntrack on geneve port"
iptables -t raw -A PREROUTING -p udp --dport 6081 -j NOTRACK
iptables -t raw -A OUTPUT -p udp --dport 6081 -j NOTRACK
ip6tables -t raw -A PREROUTING -p udp --dport 6081 -j NOTRACK
ip6tables -t raw -A OUTPUT -p udp --dport 6081 -j NOTRACK
echo "I$(date "+%m%d %H:%M:%S.%N") - starting ovnkube-node"
if [ "shared" == "shared" ]; then
gateway_mode_flags="--gateway-mode shared --gateway-interface br-ex"
elif [ "shared" == "local" ]; then
gateway_mode_flags="--gateway-mode local --gateway-interface br-ex"
else
echo "Invalid OVN_GATEWAY_MODE: \"shared\". Must be \"local\" or \"shared\"."
exit 1
fi
export_network_flows_flags=
if [[ -n "${NETFLOW_COLLECTORS}" ]] ; then
export_network_flows_flags="--netflow-targets ${NETFLOW_COLLECTORS}"
fi
if [[ -n "${SFLOW_COLLECTORS}" ]] ; then
export_network_flows_flags="$export_network_flows_flags --sflow-targets ${SFLOW_COLLECTORS}"
fi
if [[ -n "${IPFIX_COLLECTORS}" ]] ; then
export_network_flows_flags="$export_network_flows_flags --ipfix-targets ${IPFIX_COLLECTORS}"
fi
if [[ -n "${IPFIX_CACHE_MAX_FLOWS}" ]] ; then
export_network_flows_flags="$export_network_flows_flags --ipfix-cache-max-flows ${IPFIX_CACHE_MAX_FLOWS}"
fi
if [[ -n "${IPFIX_CACHE_ACTIVE_TIMEOUT}" ]] ; then
export_network_flows_flags="$export_network_flows_flags --ipfix-cache-active-timeout ${IPFIX_CACHE_ACTIVE_TIMEOUT}"
fi
if [[ -n "${IPFIX_SAMPLING}" ]] ; then
export_network_flows_flags="$export_network_flows_flags --ipfix-sampling ${IPFIX_SAMPLING}"
fi
gw_interface_flag=
# if br-ex1 is configured on the node, we want to use it for external gateway traffic
if [ -d /sys/class/net/br-ex1 ]; then
gw_interface_flag="--exgw-interface=br-ex1"
fi
node_mgmt_port_netdev_flags=
if [[ -n "${OVNKUBE_NODE_MGMT_PORT_NETDEV}" ]] ; then
node_mgmt_port_netdev_flags="--ovnkube-node-mgmt-port-netdev ${OVNKUBE_NODE_MGMT_PORT_NETDEV}"
fi
exec /usr/bin/ovnkube --init-node "${K8S_NODE}" \
--nb-address "ssl:10.66.101.41:9641,ssl:10.66.101.59:9641,ssl:10.66.101.34:9641" \
--sb-address "ssl:10.66.101.41:9642,ssl:10.66.101.59:9642,ssl:10.66.101.34:9642" \
--nb-client-privkey /ovn-cert/tls.key \
--nb-client-cert /ovn-cert/tls.crt \
--nb-client-cacert /ovn-ca/ca-bundle.crt \
--nb-cert-common-name "ovn" \
--sb-client-privkey /ovn-cert/tls.key \
--sb-client-cert /ovn-cert/tls.crt \
--sb-client-cacert /ovn-ca/ca-bundle.crt \
--sb-cert-common-name "ovn" \
--config-file=/run/ovnkube-config/ovnkube.conf \
--loglevel "${OVN_KUBE_LOG_LEVEL}" \
--inactivity-probe="${OVN_CONTROLLER_INACTIVITY_PROBE}" \
${gateway_mode_flags} \
--metrics-bind-address "127.0.0.1:29103" \
--ovn-metrics-bind-address "127.0.0.1:29105" \
--metrics-enable-pprof \
--export-ovs-metrics \
--disable-snat-multiple-gws \
${export_network_flows_flags} \
${gw_interface_flag}
env:
- name: KUBERNETES_SERVICE_PORT
value: "6443"
- name: KUBERNETES_SERVICE_HOST
value: api-int.foster-rosa.ak27.p1.openshiftapps.com
- name: OVN_CONTROLLER_INACTIVITY_PROBE
value: "180000"
- name: OVN_KUBE_LOG_LEVEL
value: "4"
- name: K8S_NODE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- rm
- -f
- /etc/cni/net.d/10-ovn-kubernetes.conf
name: ovnkube-node
ports:
- containerPort: 29103
hostPort: 29103
name: metrics-port
protocol: TCP
readinessProbe:
exec:
command:
- test
- -f
- /etc/cni/net.d/10-ovn-kubernetes.conf
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 10m
memory: 300Mi
securityContext:
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/systemd/system
name: systemd-units
readOnly: true
- mountPath: /host
mountPropagation: HostToContainer
name: host-slash
readOnly: true
- mountPath: /run/ovn-kubernetes/
name: host-run-ovn-kubernetes
- mountPath: /run/netns
mountPropagation: HostToContainer
name: host-run-netns
readOnly: true
- mountPath: /cni-bin-dir
name: host-cni-bin
- mountPath: /etc/cni/net.d
name: host-cni-netd
- mountPath: /var/lib/cni/networks/ovn-k8s-cni-overlay
name: host-var-lib-cni-networks-ovn-kubernetes
- mountPath: /run/openvswitch
name: run-openvswitch
- mountPath: /run/ovn/
name: run-ovn
- mountPath: /etc/openvswitch
name: etc-openvswitch
- mountPath: /etc/ovn/
name: etc-openvswitch
- mountPath: /var/lib/openvswitch
name: var-lib-openvswitch
- mountPath: /run/ovnkube-config/
name: ovnkube-config
- mountPath: /env
name: env-overrides
- mountPath: /ovn-cert
name: ovn-cert
- mountPath: /ovn-ca
name: ovn-ca
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-5p5mc
readOnly: true
dnsPolicy: Default
enableServiceLinks: true
hostNetwork: true
hostPID: true
imagePullSecrets:
- name: ovn-kubernetes-node-dockercfg-6pz8g
nodeName: ip-10-66-101-254.ap-southeast-2.compute.internal
nodeSelector:
beta.kubernetes.io/os: linux
preemptionPolicy: PreemptLowerPriority
priority: 2000001000
priorityClassName: system-node-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: ovn-kubernetes-node
serviceAccountName: ovn-kubernetes-node
terminationGracePeriodSeconds: 30
tolerations:
- operator: Exists
volumes:
- hostPath:
path: /etc/systemd/system
type: ""
name: systemd-units
- hostPath:
path: /
type: ""
name: host-slash
- hostPath:
path: /run/netns
type: ""
name: host-run-netns
- hostPath:
path: /var/lib/openvswitch/data
type: ""
name: var-lib-openvswitch
- hostPath:
path: /etc/openvswitch
type: ""
name: etc-openvswitch
- hostPath:
path: /var/run/openvswitch
type: ""
name: run-openvswitch
- hostPath:
path: /var/run/ovn
type: ""
name: run-ovn
- hostPath:
path: /var/log/ovn
type: ""
name: node-log
- hostPath:
path: /dev/log
type: ""
name: log-socket
- hostPath:
path: /run/ovn-kubernetes
type: ""
name: host-run-ovn-kubernetes
- hostPath:
path: /var/lib/cni/bin
type: ""
name: host-cni-bin
- hostPath:
path: /var/run/multus/cni/net.d
type: ""
name: host-cni-netd
- hostPath:
path: /var/lib/cni/networks/ovn-k8s-cni-overlay
type: ""
name: host-var-lib-cni-networks-ovn-kubernetes
- configMap:
defaultMode: 420
name: ovnkube-config
name: ovnkube-config
- configMap:
defaultMode: 420
name: env-overrides
optional: true
name: env-overrides
- configMap:
defaultMode: 420
name: ovn-ca
name: ovn-ca
- name: ovn-cert
secret:
defaultMode: 420
secretName: ovn-cert
- name: ovn-node-metrics-cert
secret:
defaultMode: 420
optional: true
secretName: ovn-node-metrics-cert
- name: kube-api-access-5p5mc
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- configMap:
items:
- key: service-ca.crt
path: service-ca.crt
name: openshift-service-ca.crt
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2023-05-03T02:33:56Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2023-05-03T02:59:33Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2023-05-03T02:59:33Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2023-05-03T02:33:56Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: cri-o://58bd69f92d62516c9728406f2d6b1480808f82647cf52c941fb640bd5b3e77b1
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f
imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f
lastState: {}
name: kube-rbac-proxy
ready: true
restartCount: 1
started: true
state:
running:
startedAt: "2023-05-03T02:59:26Z"
- containerID: cri-o://071ac3c5bc6b640d7b55d3615a2fb609c09246db3231f7fecd7ea3c41685c6b3
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f
imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ffbccd590dcfe4400aa218659618a453e237951662ffb9ccab96d56156a9b31f
lastState: {}
name: kube-rbac-proxy-ovn-metrics
ready: true
restartCount: 1
started: true
state:
running:
startedAt: "2023-05-03T02:59:26Z"
- containerID: cri-o://d7c4f7f1f3080ba560477b9fd95a6d68d49ae75dd699f4e75dbf2650e3d87c09
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
lastState: {}
name: ovn-acl-logging
ready: true
restartCount: 1
started: true
state:
running:
startedAt: "2023-05-03T02:59:25Z"
- containerID: cri-o://7b7816ad6e66d3bbb303d420d0817a7c5f4413873103fa1073fb372080d11cc9
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
lastState: {}
name: ovn-controller
ready: true
restartCount: 1
started: true
state:
running:
startedAt: "2023-05-03T02:59:25Z"
- containerID: cri-o://c713a63a10092a9a9d96e4719b99b537f2e244033e6f6af3ba2389bba1a21531
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
imageID: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:7a0e7eaf0dce2977b9efe41475867ffacf85a02d6a09543d9be0532022201150
lastState: {}
name: ovnkube-node
ready: true
restartCount: 1
started: true
state:
running:
startedAt: "2023-05-03T02:59:26Z"
hostIP: 10.66.101.254
phase: Running
podIP: 10.66.101.254
podIPs:
- ip: 10.66.101.254
qosClass: Burstable
startTime: "2023-05-03T02:33:56Z"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment