Current $ oc get clusterversion -o json|jq ".items[0].spec" { "channel": "candidate-4.12", "clusterID": "1ad501e2-5e60-45a5-9890-35d56bc06a4d", "desiredUpdate": { "force": false, "image": "quay.io/openshift-release-dev/ocp-release@sha256:31c7741fc7bb73ff752ba43f5acf014b8fadd69196fc522241302de918066cb1", "version": "4.12.2" } }History $ oc get clusterversion -o json|jq ".items[0].status.history" [ { "completionTime": "2023-02-09T10:32:35Z", "image": "quay.io/openshift-release-dev/ocp-release@sha256:31c7741fc7bb73ff752ba43f5acf014b8fadd69196fc522241302de918066cb1", "startedTime": "2023-02-09T09:05:12Z", "state": "Completed", "verified": true, "version": "4.12.2" }, { "completionTime": "2023-01-18T19:23:07Z", "image": "quay.io/openshift-release-dev/ocp-release@sha256:4c5a7e26d707780be6466ddc9591865beb2e3baa5556432d23e8d57966a2dd18", "startedTime": "2023-01-18T18:42:01Z", "state": "Completed", "verified": false, "version": "4.12.0" } ]

Default haproxy config Inter 1s (The “inter” parameter sets the interval between two consecutive health checks to milliseconds.) Fall 2 (The “fall” parameter states that a server will be considered as dead after consecutive unsuccessful health checks.) Rise 3 (The “rise” parameter states that a server will be considered as operational after consecutive successful health checks.) HttpCheck GET /readyz HTTP/1.0 global stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin expose-fd listeners defaults maxconn 20000 mode tcp log /var/run/haproxy/haproxy-log.

Default versions Kernel versions 4.18 and above default to nfs 4.2. The client will try in order 4.2 then 4.1 then 4.0. https://access.redhat.com/articles/6907891 https://access.redhat.com/articles/3626571 Default mount options rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,local_lock=none,addr=<nfs_server> Customize mount options https://access.redhat.com/solutions/6065961 apiVersion: v1 kind: PersistentVolume spec: [...] mountOptions: - nfsvers=4.1 [...]You can make a RPC call to the NFS server to get supported versions : $ rpcinfo -p 192.168.0.10 | grep nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfsAnd adapt mount options according to your nfs server.

COCP K8S CoreOS 4.10 1.23 RHEL 8.4 4.11 1.24 RHEL 8.6 4.12 1.25 RHEL 8.6 4.13 1.26 RHEL 8.6 … … …

Pod Security Policies are deprecated in K8S 1.21 https://kubernetes.io/docs/concepts/security/pod-security-standards/ https://cloud.redhat.com/blog/pod-security-admission-in-openshift-4.11 New labels added in each namespace pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=restricted security.openshift.io/scc.podSecurityLabelSync=true #DefaultSpecs needed for restricted profile securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: my-cronjob-container securityContext: allowPrivilegeEscalation: false capabilities: drop: ['ALL']Dry run apply enforce $ oc label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=restricted Audit script #!/usr/bin/env python3 # filename : audit.py # description : Generates a list of PSA violations # author : mmayeras # company : Red Hat # date : 20221215 # version : 0.