Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1545

Bug in Shared Resources error handling for secret/configmap fetch

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • builds-1.6
    • None
    • None
    • 1
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Fixed a bug that allowed the CSI driver to bypass the RBAC security checks when mounting Secrets and ConfigMaps. Previously, the incorrect error handling logic caused the driver to ignore "Forbidden" errors from the API server, leading to an empty volume being mounted instead of failing the mount operation. This fix ensures the driver properly enforces RBAC permissions, preventing unauthorized access to these resources and correctly failing the mount if the required RoleBinding is missing.

      Show
      Fixed a bug that allowed the CSI driver to bypass the RBAC security checks when mounting Secrets and ConfigMaps. Previously, the incorrect error handling logic caused the driver to ignore "Forbidden" errors from the API server, leading to an empty volume being mounted instead of failing the mount operation. This fix ensures the driver properly enforces RBAC permissions, preventing unauthorized access to these resources and correctly failing the mount if the required RoleBinding is missing.
    • Bug Fix
    • Builds Sprint #33, Builds Sprint #35
    • 2

      Description of problem:

      There is a bug in the error handling in the code of csi-driver that is fetching the secret/configmap. The bug is in the GetSecret and GetConfigMap functions(in pkg/client/listers.go). Both correctly log the "forbidden" error from the API server, but then it hides the error and returns 'nil'. This causes the driver to mount an empty volume instead of failing the mount.

      Workaround

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

       # <steps>

       

      Actual results:

      GetSecret and GetConfigMap functions(in pkg/client/listers.go) are correctly logging the "forbidden" error from the API server, but then it hides the error and returns 'nil'. This causes the driver to mount an empty volume instead of failing the mount. This allows CSI driver to have access to the secret/configmap where the name-spaced RoleBinding is not created yet.

      Expected results:

      Instead of just logging the error and returning `nil`, both of these functions should pass the error up to the function(s) that called it. mapBackingResourceToPod function from pkg/csidriver/driver.go would then correctly tell the kubelet to fail the mount.

      Reproducibility (Always/Intermittent/Only Once):

      Acceptance criteria: 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

       

       *

              rh-ee-anborah Anchita Borah
              rh-ee-anborah Anchita Borah
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: