Red Hat offers cluster administrators the Network Observability Operator to observe the network traffic for OpenShift Container Platform clusters. The Network Observability uses the eBPF technology to create network flows. The network flows are then enriched with OpenShift Container Platform information and stored in Loki. You can view and analyze the stored network flows information in the OpenShift Container Platform console for further insight and troubleshooting. Network Observability Operator in OpenShift Container Platform

Current $ oc get clusterversion -o json|jq ".items[0].spec" { "channel": "candidate-4.12", "clusterID": "1ad501e2-5e60-45a5-9890-35d56bc06a4d", "desiredUpdate": { "force": false, "image": "quay.io/openshift-release-dev/ocp-release@sha256:31c7741fc7bb73ff752ba43f5acf014b8fadd69196fc522241302de918066cb1", "version": "4.12.2" } }History $ oc get clusterversion -o json|jq ".items[0].status.history" [ { "completionTime": "2023-02-09T10:32:35Z", "image": "quay.io/openshift-release-dev/ocp-release@sha256:31c7741fc7bb73ff752ba43f5acf014b8fadd69196fc522241302de918066cb1", "startedTime": "2023-02-09T09:05:12Z", "state": "Completed", "verified": true, "version": "4.12.2" }, { "completionTime": "2023-01-18T19:23:07Z", "image": "quay.io/openshift-release-dev/ocp-release@sha256:4c5a7e26d707780be6466ddc9591865beb2e3baa5556432d23e8d57966a2dd18", "startedTime": "2023-01-18T18:42:01Z", "state": "Completed", "verified": false, "version": "4.12.0" } ]

Default haproxy config Inter 1s (The “inter” parameter sets the interval between two consecutive health checks to milliseconds.) Fall 2 (The “fall” parameter states that a server will be considered as dead after consecutive unsuccessful health checks.) Rise 3 (The “rise” parameter states that a server will be considered as operational after consecutive successful health checks.) HttpCheck GET /readyz HTTP/1.0 global stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin expose-fd listeners defaults maxconn 20000 mode tcp log /var/run/haproxy/haproxy-log.

Default versions Kernel versions 4.18 and above default to nfs 4.2. The client will try in order 4.2 then 4.1 then 4.0. https://access.redhat.com/articles/6907891 https://access.redhat.com/articles/3626571 Default mount options rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,local_lock=none,addr=<nfs_server> Customize mount options https://access.redhat.com/solutions/6065961 apiVersion: v1 kind: PersistentVolume spec: [...] mountOptions: - nfsvers=4.1 [...]You can make a RPC call to the NFS server to get supported versions : $ rpcinfo -p 192.168.0.10 | grep nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfsAnd adapt mount options according to your nfs server.

COCP K8S CoreOS 4.10 1.23 RHEL 8.4 4.11 1.24 RHEL 8.6 4.12 1.25 RHEL 8.6 4.13 1.26 RHEL 8.6 … … …

Pod Security Policies are deprecated in K8S 1.21 https://kubernetes.io/docs/concepts/security/pod-security-standards/ https://cloud.redhat.com/blog/pod-security-admission-in-openshift-4.11 New labels added in each namespace pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=restricted security.openshift.io/scc.podSecurityLabelSync=true #DefaultSpecs needed for restricted profile securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: my-cronjob-container securityContext: allowPrivilegeEscalation: false capabilities: drop: ['ALL']Dry run apply enforce $ oc label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=restricted Audit script #!/usr/bin/env python3 # filename : audit.py # description : Generates a list of PSA violations # author : mmayeras # company : Red Hat # date : 20221215 # version : 0.