Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-2572

openshift-gitops-openshift-gitops-argocd-application-controller referencing non existing serviceAccount

XMLWordPrintable

    • 5
    • False
    • None
    • False
    • GITOPS Sprint 239
    • Moderate

      Description of problem:

      With OpenShift GitOps installed but DISABLE_DEFAULT_ARGOCD_INSTANCE set to true in the Subscription we still can see the respective serviceAccount referenced in the openshift-gitops-openshift-gitops-argocd-application-controller ClusterRoleBinding

      $ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.20   True        False         8d      Cluster version is 4.11.20

$ oc get clusterrolebinding openshift-gitops-openshift-gitops-argocd-application-controller -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    argocds.argoproj.io/name: openshift-gitops
    argocds.argoproj.io/namespace: openshift-gitops
  creationTimestamp: "2023-01-13T12:34:38Z"
  labels:
    app.kubernetes.io/managed-by: openshift-gitops
    app.kubernetes.io/name: argocd-application-controller
    app.kubernetes.io/part-of: argocd
  name: openshift-gitops-openshift-gitops-argocd-application-controller
  resourceVersion: "1744696"
  uid: a9abbbfe-ccbe-44db-8032-8fc1b2946b61
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openshift-gitops-openshift-gitops-argocd-application-controller
subjects:
- kind: ServiceAccount
  name: openshift-gitops-argocd-application-controller
  namespace: openshift-gitops

$ oc get sa -n openshift-gitops
NAME                     SECRETS   AGE
builder                  1         6d18h
default                  1         6d18h
deployer                 1         6d18h
gitops-service-cluster   1         6d18h

$ oc get subscription -n openshift-operators openshift-gitops-operator -o json | jq '.spec'
{
  "channel": "latest",
  "config": {
    "env": [
      {
        "name": "DISABLE_DEFAULT_ARGOCD_INSTANCE",
        "value": "true"
      }
    ]
  },
  "installPlanApproval": "Automatic",
  "name": "openshift-gitops-operator",
  "source": "redhat-operators",
  "sourceNamespace": "openshift-marketplace",
  "startingCSV": "openshift-gitops-operator.v1.7.0"
}

      It's therefore not clear whether the ClusterRoleBinding openshift-gitops-openshift-gitops-argocd-application-controller should still exist in the given scenario or actually also get removed.

      In any case, the desired state should be to remove the serviceAccount from the ClusterRoleBinding once it gets removed because the default instance is removed.

      This is also a Security recommendation to remove non serviceAccounts from ClusterRoleBindings, as a potential attacker could abuse the current state by creating the necessary serviceAccounts and gain undesired permissions.

      Prerequisites (if any, like setup, operators/versions):

      Run the below patch to disable the default GitOps instance.

      $ oc patch subscription openshift-gitops-operator -n openshift-operators --type=merge -p='{"spec":{"config":{"env":[{"name":"DISABLE_DEFAULT_ARGOCD_INSTANCE","value":"true"}]}}}'

      Steps to Reproduce

      $ oc patch subscription openshift-gitops-operator -n openshift-operators --type=merge -p='{"spec":{"config":{"env":[{"name":"DISABLE_DEFAULT_ARGOCD_INSTANCE","value":"true"}]}}}'

$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.20   True        False         8d      Cluster version is 4.11.20

$ oc get clusterrolebinding openshift-gitops-openshift-gitops-argocd-application-controller -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    argocds.argoproj.io/name: openshift-gitops
    argocds.argoproj.io/namespace: openshift-gitops
  creationTimestamp: "2023-01-13T12:34:38Z"
  labels:
    app.kubernetes.io/managed-by: openshift-gitops
    app.kubernetes.io/name: argocd-application-controller
    app.kubernetes.io/part-of: argocd
  name: openshift-gitops-openshift-gitops-argocd-application-controller
  resourceVersion: "1744696"
  uid: a9abbbfe-ccbe-44db-8032-8fc1b2946b61
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openshift-gitops-openshift-gitops-argocd-application-controller
subjects:
- kind: ServiceAccount
  name: openshift-gitops-argocd-application-controller
  namespace: openshift-gitops

$ oc get sa -n openshift-gitops
NAME                     SECRETS   AGE
builder                  1         6d18h
default                  1         6d18h
deployer                 1         6d18h
gitops-service-cluster   1         6d18h

$ oc get subscription -n openshift-operators openshift-gitops-operator -o json | jq '.spec'
{
  "channel": "latest",
  "config": {
    "env": [
      {
        "name": "DISABLE_DEFAULT_ARGOCD_INSTANCE",
        "value": "true"
      }
    ]
  },
  "installPlanApproval": "Automatic",
  "name": "openshift-gitops-operator",
  "source": "redhat-operators",
  "sourceNamespace": "openshift-marketplace",
  "startingCSV": "openshift-gitops-operator.v1.7.0"
}

      Actual results:

      $ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.20   True        False         8d      Cluster version is 4.11.20

$ oc get clusterrolebinding openshift-gitops-openshift-gitops-argocd-application-controller -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    argocds.argoproj.io/name: openshift-gitops
    argocds.argoproj.io/namespace: openshift-gitops
  creationTimestamp: "2023-01-13T12:34:38Z"
  labels:
    app.kubernetes.io/managed-by: openshift-gitops
    app.kubernetes.io/name: argocd-application-controller
    app.kubernetes.io/part-of: argocd
  name: openshift-gitops-openshift-gitops-argocd-application-controller
  resourceVersion: "1744696"
  uid: a9abbbfe-ccbe-44db-8032-8fc1b2946b61
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openshift-gitops-openshift-gitops-argocd-application-controller
subjects:
- kind: ServiceAccount
  name: openshift-gitops-argocd-application-controller
  namespace: openshift-gitops

$ oc get sa -n openshift-gitops
NAME                     SECRETS   AGE
builder                  1         6d18h
default                  1         6d18h
deployer                 1         6d18h
gitops-service-cluster   1         6d18h

$ oc get subscription -n openshift-operators openshift-gitops-operator -o json | jq '.spec'
{
  "channel": "latest",
  "config": {
    "env": [
      {
        "name": "DISABLE_DEFAULT_ARGOCD_INSTANCE",
        "value": "true"
      }
    ]
  },
  "installPlanApproval": "Automatic",
  "name": "openshift-gitops-operator",
  "source": "redhat-operators",
  "sourceNamespace": "openshift-marketplace",
  "startingCSV": "openshift-gitops-operator.v1.7.0"
}

      Expected results:

      Either remove openshift-gitops-openshift-gitops-argocd-application-controller ClusterRoleBinding as well when DISABLE_DEFAULT_ARGOCD_INSTANCE is set to true or remove the reference to openshift-gitops-argocd-application-controller serviceAccount in openshift-gitops namespace

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Build Details:

      openshift-gitops-operator.v1.7.0

      Additional info (Such as Logs, Screenshots, etc):

      Finding related to a Security review done on the OpenShift Container Platform 4 - Platform

              anjoseph Anand Francis Joseph
              rhn-support-sreber Simon Reber
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: