feat: flatcar disable usb #1868

simonostendorf · 2025-10-16T09:50:31Z

Change description

This PR disables usb devices for Flatcar as described in their hardening guide.

Default value is false to keep the current behavior. But a user can disable usb devices in flatcar by setting disable_flatcar_usb to true.

Is this change including a new Provider or a new OS? (y/n) n
If yes, has the Provider/OS matrix been updated in the readme? (y/n) -
If adding a new provider, are you a representative of that provider? (y/n) -

Related issues

none

Additional context

none

k8s-ci-robot · 2025-10-16T09:50:41Z

Hi @simonostendorf. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

AndiDog · 2025-10-20T09:50:53Z

@mboersma What do you think of disabling USB by default (breaking change for very few users or none, I assume)?

/ok-to-test
/lgtm

mboersma · 2025-10-20T15:10:43Z

What do you think of disabling USB by default

It's safer to leave it enabled by default of course. But disabling it by default is probably safe to do: it seems unlikely that USB resources are required in a Kubernetes environment.

@simonostendorf the linter has these complaints:

WARNING Listing 2 violation(s) that are fatal
command-instead-of-module: sed used in place of template, replace or lineinfile module
ansible/roles/node/tasks/flatcar.yml:26 Task/Handler: Set default HOME_MODE in login.defs
no-changed-when: Commands should not change things if nothing needs doing.
ansible/roles/node/tasks/flatcar.yml:26 Task/Handler: Set default HOME_MODE in login.defs

simonostendorf · 2025-10-21T09:32:23Z

/retest

AverageMarcus · 2025-10-22T06:23:40Z

If we're disabling USB by default can we please make sure there are some docs on how to re-enable it. Thinking about the on-prem folks here that might be using Kuberentes in things like factories.

simonostendorf · 2025-10-22T07:01:29Z

If we're disabling USB by default can we please make sure there are some docs on how to re-enable it. Thinking about the on-prem folks here that might be using Kuberentes in things like factories.

Good point, I can do that.

Can you help me with the ci? What do I have to change to get the pull-ova-all job green? :D

AverageMarcus · 2025-10-22T13:25:47Z

/retest

It might be a flake. Let's see if it works this time. 🙂

mboersma · 2025-10-22T16:24:02Z

2025/10/22 13:32:52 packer-plugin-ansible_v1.1.3_x5.0_linux_amd64 plugin: 2025/10/22 13:32:52 [INFO] 0 bytes written for 'stdin'
�[0;32m vsphere-iso.vsphere:�[0m
�[0;32m vsphere-iso.vsphere: TASK [node : Blacklist usb-storage module] *************************************�[0m
�[0;32m vsphere-iso.vsphere: fatal: [default]: FAILED! => {"changed": false, "checksum": "956ad786624ff9c9d06cfc3e78996595024049dc", "msg": "Destination directory /etc/modprobe.d does not exist"}�[0m
�[0;32m vsphere-iso.vsphere:�[0m

simonostendorf · 2025-10-23T09:21:47Z

I suggest to add the following code to the sed command because it was implemented like this before and flatcar needs the sed command instead of the lineinfile because of the read-only filesystem in the /etc folder:

  args:
    warn: false
  tags:
    - skip_ansible_lint

What do you think?

mboersma · 2025-10-23T14:51:53Z

@simonostendorf I think that's fine to skip the linting in this case.

simonostendorf · 2025-10-23T19:17:42Z

next try, hopefully now :/

simonostendorf · 2025-10-23T20:00:16Z

linting and pull job works now, I will add docs and I guess then its ready to merge :D

simonostendorf · 2025-10-23T20:21:44Z

/retest

simonostendorf · 2025-10-24T16:11:38Z

/retest

mboersma

/lgtm

drew-viles

/lgtm
/approve

k8s-ci-robot · 2025-10-24T18:52:36Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: drew-viles

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [drew-viles]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 16, 2025

k8s-ci-robot requested review from AndiDog and jsturtevant October 16, 2025 09:50

k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 16, 2025

k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 20, 2025

k8s-ci-robot assigned AndiDog Oct 20, 2025

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 20, 2025

simonostendorf force-pushed the feat/flatcar-disable-usb branch from 2774e55 to b0097bf Compare October 21, 2025 08:27

k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 21, 2025

simonostendorf force-pushed the feat/flatcar-disable-usb branch 2 times, most recently from 6cd29ed to 1f735b8 Compare October 23, 2025 09:03

simonostendorf force-pushed the feat/flatcar-disable-usb branch 2 times, most recently from 50495bf to 7615e7e Compare October 23, 2025 19:17

feat: flatcar disable usb

bb55893

simonostendorf force-pushed the feat/flatcar-disable-usb branch from 7615e7e to bb55893 Compare October 23, 2025 20:04

mboersma approved these changes Oct 24, 2025

View reviewed changes

k8s-ci-robot assigned mboersma Oct 24, 2025

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 24, 2025

mboersma requested a review from drew-viles October 24, 2025 17:06

drew-viles approved these changes Oct 24, 2025

View reviewed changes

k8s-ci-robot assigned drew-viles Oct 24, 2025

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 24, 2025

k8s-ci-robot merged commit 7701754 into kubernetes-sigs:main Oct 24, 2025
10 checks passed

simonostendorf deleted the feat/flatcar-disable-usb branch October 24, 2025 19:44

Uh oh!

feat: flatcar disable usb #1868

feat: flatcar disable usb #1868

Conversation

simonostendorf commented Oct 16, 2025

Change description

Related issues

Additional context

Uh oh!

k8s-ci-robot commented Oct 16, 2025

Uh oh!

AndiDog commented Oct 20, 2025

Uh oh!

mboersma commented Oct 20, 2025

Uh oh!

simonostendorf commented Oct 21, 2025

Uh oh!

AverageMarcus commented Oct 22, 2025

Uh oh!

simonostendorf commented Oct 22, 2025

Uh oh!

AverageMarcus commented Oct 22, 2025

Uh oh!

mboersma commented Oct 22, 2025

Uh oh!

simonostendorf commented Oct 23, 2025

Uh oh!

mboersma commented Oct 23, 2025

Uh oh!

simonostendorf commented Oct 23, 2025

Uh oh!

simonostendorf commented Oct 23, 2025

Uh oh!

simonostendorf commented Oct 23, 2025

Uh oh!

simonostendorf commented Oct 24, 2025

Uh oh!

mboersma left a comment

Choose a reason for hiding this comment

Uh oh!

drew-viles left a comment

Choose a reason for hiding this comment

Uh oh!

k8s-ci-robot commented Oct 24, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants