spectrocloud · lennessyy · Sep 16, 2024 · Sep 16, 2024 · Sep 16, 2024 · Sep 16, 2024
@@ -8,11 +8,58 @@ tags: ["clusters", "cluster management"]
 ---
 
 Palette supports the **Pause Agent Upgrades** feature to exclude a cluster or a group of clusters from getting
-automatically upgraded when Palette is upgraded. The three ways to activate this feature are:
+automatically upgraded when Palette is upgraded.
 
-- Pause Upgrades for a Single Cluster
-- Pause Upgrades for all Clusters within Project Scope
-- Pause Upgrades for all Clusters within Tenant Scope
+## Pause Agent Upgrade Scopes
+
+Upgrades can be paused and resumed in the following scopes:
+
+- Pause upgrades for a single cluster
+- Pause upgrades for all clusters within a project
+- Pause upgrades for all clusters within a tenant
+
+When determining if the agent upgrades for one cluster is paused or not, you only need to look at the setting for the
+cluster itself. Even if agent upgrades are paused on a tenant or project level, agent upgrades for an individual cluster
+can still be turned on.
+
+Pausing or resuming agent upgrades at a higher-level scope will automatically pause or resume agent upgrades in the
+lower-level scopes. For example, if you pause agent upgrades at the tenant level, then agent upgrades will be paused for
+all projects within that tenant, and all clusters within those projects. Similarly, if you resume upgrades at the
+project level, then all clusters within that project will have their agent upgrades resumed.
+
+This is a one-time change that happens at the moment when you pause or resume upgrades in the higher scope, and it does
-This is a one-time change that happens at the moment when you pause or resume upgrades in the higher scope, and it does
+This is a one-time change that happens at the moment when you pause or resume upgrades in the project or tenant scope, and it does
-This is a one-time change that happens at the moment when you pause or resume upgrades in the higher scope, and it does
+This is a one-time change that happens at the moment when you pause or resume upgrades in the project or tenant scope, and it does
+not mandate that the same setting be kept at the lower scopes. If you pause or resume agent upgrades in a lower-level
+scope, it will override the setting from the higher-level scope. For example, even if all agent upgrades are paused at
+the tenant level, you can override the tenant-level pause by resuming upgrades in a specific project or a specific
+cluster. However, if you resume upgrades at the tenant level, and then pause again at the tenant level, it will pause
+agent upgrades for all clusters within the tenant, including clusters where you manually overrode the tenant-level
+settings and resumed agent upgrades.
+
+## Agent Upgrades for PCG and Edge Hosts
+
+Aside from clusters, you can also pause the agent upgrades on Private Cloud Gateways (PCG) and Edge hosts that are
+registered with Palette but are not part of a cluster.
+
+Since PCGs are scoped to tenants, you can pause the agent upgrades on a PCG by pausing agent upgrades on the tenant to
+which the PCG is associated. You can also pause or resume upgrades for a PCG in the PCG details page through **Cluster
+Settings**. Similar to clusters, pausing and resuming upgrades at the tenant level will pause or resume agent upgrades
+for all PCGs in the tenant. Pausing and resuming upgrades for a PCG individually will override the tenant-level setting.
+
+Edge hosts that are part of a cluster have their agent upgrades managed by the settings of their cluster. Edge hosts
+that are not part of a cluster have their agent upgrades managed at the project and tenant level. Similar to clusters,
+pausing or resuming agent upgrades at the tenant level will automatically pause or resume agent upgrades for all
+projects with in that tenant. However, you can override the tenant level setting by manually changing the upgrade
-projects with in that tenant. However, you can override the tenant level setting by manually changing the upgrade
+projects within that tenant. However, you can override the tenant level setting by manually changing the upgrade
-projects with in that tenant. However, you can override the tenant level setting by manually changing the upgrade
+projects within that tenant. However, you can override the tenant level setting by manually changing the upgrade
+setting at the project level.
+
+The following is a table showing the scopes at which you can pause agent upgrades for different objects. The same
+relationship between the scopes applies: Changing the setting in a higher scope will trigger a one-time change to the
+lower scopes, and changing the setting at the lower scope will override the setting in the higher scope.
+
+|                 | Individual Cluster/PCG | Project | Tenant |
+| --------------- | ---------------------- | ------- | ------ |
+| Cluster         | ✅                     | ✅      | ✅     |
+| PCG             | ✅                     |         | ✅     |
+| Idle Edge hosts |                        | ✅      | ✅     |
 
 ## Prerequisites
 
@@ -71,6 +118,24 @@ clusters within the project scope, or all within the tenant scope.
 
 </TabItem>
 
+<TabItem value="singlePcg" label="Single PCG" >
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant administrator.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Select **Private Cloud Gateways** from the **Tenant Settings Menu**
+
+4. Click on the PCG you want to pause or resume upgrades for.
+
+5. From the PCG details page, click **Settings** > **Cluster Settings**.
+
+6. Toggle the **Pause Agent Upgrades** button to pause upgrades for the PCG.
+
+7. A pop-up box will ask you to confirm the action. Click **OK**.
+
+</TabItem>
+
 </Tabs>
 
 ## Validate
@@ -93,6 +158,9 @@ clusters within the project scope, or all within the tenant scope.
 
 <TabItem value="projectScope" label="All Clusters - Project Scope">
 
+Pausing upgrades in a project also pauses agent upgrades for all Edge hosts in the project that are not part of a
+cluster.
+
 1. Log in to [Palette](https://console.spectrocloud.com).
 
 2. Navigate to the left **Main Menu** and click on **Project Settings**.
@@ -105,6 +173,9 @@ clusters within the project scope, or all within the tenant scope.
 
 <TabItem value="tenantScope" label="All Clusters - Tenant Scope">
 
+Pausing upgrades in a Tenant also pauses agent upgrades for all Edge hosts in the tenant that are not part of a cluster,
+as well as PCGs in the tenant.
+
 1. Log in to [Palette](https://console.spectrocloud.com).
 
 2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
@@ -115,4 +186,20 @@ clusters within the project scope, or all within the tenant scope.
 
 </TabItem>
 
+<TabItem value="singlePcg" label="Single PCG" >
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant administrator.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Select **Private Cloud Gateways** from the **Tenant Settings Menu**
+
+4. Click on the PCG you want to pause or resume upgrades for.
+
+5. From the PCG details page, click **Settings** > **Cluster Settings**.
+
+6. The **Pause Agent Upgrades** toggle button is checked.
+
+</TabItem>
+
 </Tabs>
@@ -0,0 +1,34 @@
+---
+sidebar_label: "CVE-2022-27191"
+title: "CVE-2022-27191"
+description: "Lifecycle of CVE-2022-27191"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-27191](https://nvd.nist.gov/vuln/detail/CVE-2022-27191)
+
+## Last Update
+
+11/7/2023
+
+## NIST Summary
+
+The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server
+in certain circumstances involving AddHostKey.
+
+## CVE Severity
+
+7.5
+
+## Status
+
+Resolved
+
+## Images
+
+- gcr.io/spectro-images-client/release/nas:4.4.14
@@ -0,0 +1,35 @@
+---
+sidebar_label: "CVE-2022-27664"
+title: "CVE-2022-27664"
+description: "Lifecycle of CVE-2022-27664"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-27664](https://nvd.nist.gov/vuln/detail/CVE-2022-27664)
+
+## Last Update
+
+11/7/2023
+
+## NIST Summary
+
+In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2
+connection can hang during closing if shutdown were preempted by a fatal error.
+
+## CVE Severity
+
+7.5
+
+## Status
+
+Ongoing
+
+## Images
+
+- registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.2.1
+- registry.k8s.io/sig-storage/snapshot-controller:v6.2.1
@@ -0,0 +1,39 @@
+---
+sidebar_label: "CVE-2022-2880"
+title: "CVE-2022-2880"
+description: "Lifecycle of CVE-2022-2880"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-2880](https://nvd.nist.gov/vuln/detail/CVE-2022-2880)
+
+## Last Update
+
+11/25/2023
+
+## NIST Summary
+
+Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable
+parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with
+an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound
+request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the
+query parameters. Proxies which do not parse query parameters continue to forward the original query parameters
+unchanged.
+
+## CVE Severity
+
+7.5
+
+## Status
+
+Resolved
+
+## Images
+
+- registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.2.1
+- registry.k8s.io/sig-storage/snapshot-controller:v6.2.1
@@ -0,0 +1,36 @@
+---
+sidebar_label: "CVE-2022-32190"
+title: "CVE-2022-32190"
+description: "Lifecycle of CVE-2022-32190"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-32190](https://nvd.nist.gov/vuln/detail/CVE-2022-32190)
+
+## Last Update
+
+11/7/2023
+
+## NIST Summary
+
+JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,
+JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating
+that ../ path elements are removed from the result.
+
+## CVE Severity
+
+7.5
+
+## Status
+
+Ongoing
+
+## Images
+
+- registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.2.1
+- registry.k8s.io/sig-storage/snapshot-controller:v6.2.1
@@ -0,0 +1,34 @@
+---
+sidebar_label: "CVE-2022-3715"
+title: "CVE-2022-3715"
+description: "Lifecycle of CVE-2022-3715"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-3715](https://nvd.nist.gov/vuln/detail/CVE-2022-3715)
+
+## Last Update
+
+2/24/2023
+
+## NIST Summary
+
+A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue
+may lead to memory problems.
+
+## CVE Severity
+
+7.8
+
+## Status
+
+Ongoing
+
+## Images
+
+- ghcr.io/k8snetworkplumbingwg/multus-cni:v4.0.2-thick
@@ -0,0 +1,42 @@
+---
+sidebar_label: "CVE-2022-3996"
+title: "CVE-2022-3996"
+description: "Lifecycle of CVE-2022-3996"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-3996](https://nvd.nist.gov/vuln/detail/CVE-2022-3996)
+
+## Last Update
+
+8/1/2024
+
+## NIST Summary
+
+If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will
+be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when
+the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common
+setup.
+
+Policy processing is enabled by passing the \`-policy' argument to the command line utilities or by calling the
+\`X509_VERIFY_PARAM_set1_policies()' function.
+
+Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.
+
+## CVE Severity
+
+7.5
+
+## Status
+
+Ongoing
+
+## Images
+
+- gcr.io/spectro-images-public/release/kubevirt/virt-handler:v1.2.0
+- gcr.io/spectro-images-public/release/kubevirt/virt-launcher:v1.2.0
@@ -0,0 +1,38 @@
+---
+sidebar_label: "CVE-2022-41715"
+title: "CVE-2022-41715"
+description: "Lifecycle of CVE-2022-41715"
+sidebar_class_name: "hide-from-sidebar"
+hide_table_of_contents: false
+toc_max_heading_level: 2
+tags: ["security", "cve"]
+---
+
+## CVE Details
+
+[CVE-2022-41715](https://nvd.nist.gov/vuln/detail/CVE-2022-41715)
+
+## Last Update
+
+11/25/2023
+
+## NIST Summary
+
+Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of
+service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can
+be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp
+being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than
+that are rejected. Normal use of regular expressions is unaffected.
+
+## CVE Severity
+
+7.5
+
+## Status
+
+Ongoing
+
+## Images
+
+- registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.2.1
+- registry.k8s.io/sig-storage/snapshot-controller:v6.2.1