CDK Addons

cdk-addons 1.21 needs updated cephcsi image

Bug #1945686 reported by Vern Hart on 2021-09-30

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	CDK Addons	Fix Released	High	Kevin W Monroe	CDK Addons 1.22+ck1

Bug Description

In debugging a PersistentVolumeClaim issue I tracked it to this Cephx CVE:
https://docs.ceph.com/en/latest/security/CVE-2021-20288/

The fix for that CVE is to:
ceph config set mon auth_allow_insecure_global_id_reclaim false

After doing this, PersistentVolumeClaims get stuck Pending as they can't authorize with ceph.

The recommended fix for that is to update ceph clients.

I confirmed that updating the cephcsi container image to v3.3.1 resolves the PVC issue. However cdk-addons keeps switching it back to v2.1.2. https://pastebin.ubuntu.com/p/vT7WsTgCrj/

Checking the various snap versions I see:

cdk-addon cephcsi
1.23.0-alpha.2 v3.3.1
1.22.2 v3.3.1
1.22.1 v3.3.1
1.21.5 v2.1.2
1.21.3 v2.1.2
1.20.11 v2.1.2
1.20.4 v2.1.2
1.19.15 v2.1.2
1.19.8 v2.1.2
1.18.20 none

So it seems we need to backport the cephcsi container image version v3.3.1 to 1.21, 1.20, and 1.19.

Chris Johnston (cjohnston) on 2021-09-30

Changed in cdk-addons:
status:	New → Confirmed

George Kraft (cynerva) on 2021-10-12

Changed in cdk-addons:
importance:	Undecided → High
status:	Confirmed → Triaged

Revision history for this message

Aymen Frikha (aym-frikha) wrote on 2021-10-12:

subscribed ~field-high

Revision history for this message

Kevin W Monroe (kwmonroe) wrote on 2021-10-18:

One concern i have for the cephcsi bump to v3.3.1 is that v1 PVCs are no longer supported in v3 [0].

We shipped v1 in CK 1.18, and with our n-2 support policy, that means a customer could be upgrading a 1.18 v1 cluster to 1.20, which could break if we moved 1.20 up to v3.

v3 in 1.21 would be ok since the support window would have started with 1.19 which was already at v2. We'll backport v3 to 1.21, but not 1.20 nor 1.19.

[0]: breaking changes: https://github.com/ceph/ceph-csi/releases/tag/v3.0.0