OCPBUGS-75916: crio: disable short_name_mode until we introduce ctrcfg api for it#5628
Conversation
Signed-off-by: Peter Hunt <pehunt@redhat.com>
openshift-ci-robot
added
jira/valid-reference
|
@haircommander: This pull request references Jira Issue OCPBUGS-75916, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
approved
|
/cherry-pick release-4.22 |
|
@haircommander: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
I agree that short name lookup should generally be discouraged, and that the use of disabled in CRI-O is undesirable.
Nevertheless:
- “enforcing” does not do what cri-o/cri-o#9401 might think: it fails whenever there are multiple registries in unqualified-search-registries (and there is no short name alias explicitly defined). I.e. users who set U-S-R presumably always have >1, and this will always fail
- U-S-R is a stable OpenShift API: https://github.com/openshift/api/blob/81371d13d1fcad175a48627cf11524a94a80c377/config/v1/types_image.go#L190
so I don’t know how OpenShift can just move away from disabled at ~any timeframe. Maybe this needs to be conditional on users setting up U-S-R.
|
we could potentially plumb that into the api validation for ctrcfg update... okay I should have read deeper before toggling in cri-o probably. thanks for the heads up. |
|
I suspect if we don't set it by default, then the majority of users won't set it. which may be fine, it's a pretty narrowly scoped security hole to cover. Will have to think deeper about this. Also summoning @QiWang19 and @saschagrunert for awareness.. |
|
To be clear, I’m not against this PR restoring the (bad) status quo. And I do want the default OpenShift posture to be "short names only use pre-configured aliases" or even better "short names are entirely prohibited" (because Kubelet sends credentials for This was more of a comment on the other PRs, just highlighting the public feature that depends on that bad behavior. |
QiWang19
left a comment
QiWang19
left a comment
There was a problem hiding this comment.
LGTM
It makes sense to revert the default behavior for now instead of landing the MachineConfig. before we figure out how to introduce short names to newly installed clusters.
I suspect if we don't set it by default, then the majority of users won't set it.
yeah, I think so
|
/verified later @haircommander |
openshift-ci-robot
added
verified-later
verified
|
@haircommander: This PR has been marked to be verified later by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: haircommander, harche The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cherry-pick release-4.21 |
|
@haircommander: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@haircommander: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@haircommander: Jira Issue OCPBUGS-75916: All pull requests linked via external trackers have merged: This pull request has the DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@haircommander: new pull request created: #5635 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@haircommander: new pull request created: #5636 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Fix included in accepted release 4.22.0-0.nightly-2026-02-08-124411 |
7 participants
- What I did
disable for 4.22 (and eventually 4.21) until we get a proper fix in
alternative to #5622
- How to verify it
- Description for the changelog