-
Spike
-
Resolution: Done
-
Critical
-
None
-
None
-
False
-
None
-
False
-
-
Impact of OCPBUGS-30319:
Which 4.y.z to 4.y'.z' updates increase vulnerability?
Upgrading from 4.14 to any 4.15.z that does not include the fix for OCPBUGS-30319.
Which types of clusters?
Any cluster without an integrated image registry, either the capability disabled or the image registry removed will be affected by this problem if upgraded to any 4.15.z version that does not include the fix.
What is the impact? Is it serious enough to warrant removing update recommendations?
If a user sets up an SA as an OAuth2 client according to https://docs.openshift.com/container-platform/4.15/authentication/using-service-accounts-as-oauth-client.html, users of the application using the SA to retrieve tokens from OpenShift will no longer be able authenticate to the said application. This mechanism is also used by the oauth-proxy, but is generally applicable.
How involved is remediation?
To work around this issue, create a legacy SA token secret according to https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#auto-generated-legacy-serviceaccount-token-clean-up and then edit the SA object's .secrets field with the name of the secret.
Is this a regression?
Yes, from 4.14 to any 4.15.z that does not include the fix for OCPBUGS-30319.
- blocks
-
OCPBUGS-30319 ServiceAccounts can no longer be used as OAuth2 clients
- Closed
- links to