Loading...

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: 1.9.3
Affects Version/s: None
Component/s: Operator
Labels:
- GitOps
- bug
- bug-fix
- release-note-item
- security
- support-report

Story Points:
5
Blocked:
False
Blocked Reason:
None
Ready:
False
Intelligence Requested:
Market:
Target Version:

1.9.1

Sprint:
GITOPS Sprint 239
Severity:
Moderate

SFDC Cases Counter:
SFDC Cases Links:

Description of problem:

With OpenShift GitOps installed but DISABLE_DEFAULT_ARGOCD_INSTANCE set to true in the Subscription we still can see the respective serviceAccount referenced in the openshift-gitops-openshift-gitops-argocd-application-controller ClusterRoleBinding

$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.20   True        False         8d      Cluster version is 4.11.20

$ oc get clusterrolebinding openshift-gitops-openshift-gitops-argocd-application-controller -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    argocds.argoproj.io/name: openshift-gitops
    argocds.argoproj.io/namespace: openshift-gitops
  creationTimestamp: "2023-01-13T12:34:38Z"
  labels:
    app.kubernetes.io/managed-by: openshift-gitops
    app.kubernetes.io/name: argocd-application-controller
    app.kubernetes.io/part-of: argocd
  name: openshift-gitops-openshift-gitops-argocd-application-controller
  resourceVersion: "1744696"
  uid: a9abbbfe-ccbe-44db-8032-8fc1b2946b61
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openshift-gitops-openshift-gitops-argocd-application-controller
subjects:
- kind: ServiceAccount
  name: openshift-gitops-argocd-application-controller
  namespace: openshift-gitops

$ oc get sa -n openshift-gitops
NAME                     SECRETS   AGE
builder                  1         6d18h
default                  1         6d18h
deployer                 1         6d18h
gitops-service-cluster   1         6d18h

$ oc get subscription -n openshift-operators openshift-gitops-operator -o json | jq '.spec'
{
  "channel": "latest",
  "config": {
    "env": [
      {
        "name": "DISABLE_DEFAULT_ARGOCD_INSTANCE",
        "value": "true"
      }
    ]
  },
  "installPlanApproval": "Automatic",
  "name": "openshift-gitops-operator",
  "source": "redhat-operators",
  "sourceNamespace": "openshift-marketplace",
  "startingCSV": "openshift-gitops-operator.v1.7.0"
}

It's therefore not clear whether the ClusterRoleBinding openshift-gitops-openshift-gitops-argocd-application-controller should still exist in the given scenario or actually also get removed.

In any case, the desired state should be to remove the serviceAccount from the ClusterRoleBinding once it gets removed because the default instance is removed.

This is also a Security recommendation to remove non serviceAccounts from ClusterRoleBindings, as a potential attacker could abuse the current state by creating the necessary serviceAccounts and gain undesired permissions.

Prerequisites (if any, like setup, operators/versions):

Run the below patch to disable the default GitOps instance.

$ oc patch subscription openshift-gitops-operator -n openshift-operators --type=merge -p='{"spec":{"config":{"env":[{"name":"DISABLE_DEFAULT_ARGOCD_INSTANCE","value":"true"}]}}}'

Steps to Reproduce

$ oc patch subscription openshift-gitops-operator -n openshift-operators --type=merge -p='{"spec":{"config":{"env":[{"name":"DISABLE_DEFAULT_ARGOCD_INSTANCE","value":"true"}]}}}'

$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.20   True        False         8d      Cluster version is 4.11.20

$ oc get clusterrolebinding openshift-gitops-openshift-gitops-argocd-application-controller -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    argocds.argoproj.io/name: openshift-gitops
    argocds.argoproj.io/namespace: openshift-gitops
  creationTimestamp: "2023-01-13T12:34:38Z"
  labels:
    app.kubernetes.io/managed-by: openshift-gitops
    app.kubernetes.io/name: argocd-application-controller
    app.kubernetes.io/part-of: argocd
  name: openshift-gitops-openshift-gitops-argocd-application-controller
  resourceVersion: "1744696"
  uid: a9abbbfe-ccbe-44db-8032-8fc1b2946b61
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openshift-gitops-openshift-gitops-argocd-application-controller
subjects:
- kind: ServiceAccount
  name: openshift-gitops-argocd-application-controller
  namespace: openshift-gitops

$ oc get sa -n openshift-gitops
NAME                     SECRETS   AGE
builder                  1         6d18h
default                  1         6d18h
deployer                 1         6d18h
gitops-service-cluster   1         6d18h

$ oc get subscription -n openshift-operators openshift-gitops-operator -o json | jq '.spec'
{
  "channel": "latest",
  "config": {
    "env": [
      {
        "name": "DISABLE_DEFAULT_ARGOCD_INSTANCE",
        "value": "true"
      }
    ]
  },
  "installPlanApproval": "Automatic",
  "name": "openshift-gitops-operator",
  "source": "redhat-operators",
  "sourceNamespace": "openshift-marketplace",
  "startingCSV": "openshift-gitops-operator.v1.7.0"
}

Actual results:

$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.20   True        False         8d      Cluster version is 4.11.20

$ oc get clusterrolebinding openshift-gitops-openshift-gitops-argocd-application-controller -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    argocds.argoproj.io/name: openshift-gitops
    argocds.argoproj.io/namespace: openshift-gitops
  creationTimestamp: "2023-01-13T12:34:38Z"
  labels:
    app.kubernetes.io/managed-by: openshift-gitops
    app.kubernetes.io/name: argocd-application-controller
    app.kubernetes.io/part-of: argocd
  name: openshift-gitops-openshift-gitops-argocd-application-controller
  resourceVersion: "1744696"
  uid: a9abbbfe-ccbe-44db-8032-8fc1b2946b61
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openshift-gitops-openshift-gitops-argocd-application-controller
subjects:
- kind: ServiceAccount
  name: openshift-gitops-argocd-application-controller
  namespace: openshift-gitops

$ oc get sa -n openshift-gitops
NAME                     SECRETS   AGE
builder                  1         6d18h
default                  1         6d18h
deployer                 1         6d18h
gitops-service-cluster   1         6d18h

$ oc get subscription -n openshift-operators openshift-gitops-operator -o json | jq '.spec'
{
  "channel": "latest",
  "config": {
    "env": [
      {
        "name": "DISABLE_DEFAULT_ARGOCD_INSTANCE",
        "value": "true"
      }
    ]
  },
  "installPlanApproval": "Automatic",
  "name": "openshift-gitops-operator",
  "source": "redhat-operators",
  "sourceNamespace": "openshift-marketplace",
  "startingCSV": "openshift-gitops-operator.v1.7.0"
}

Expected results:

Either remove openshift-gitops-openshift-gitops-argocd-application-controller ClusterRoleBinding as well when DISABLE_DEFAULT_ARGOCD_INSTANCE is set to true or remove the reference to openshift-gitops-argocd-application-controller serviceAccount in openshift-gitops namespace

Reproducibility (Always/Intermittent/Only Once):

Always

Build Details:

openshift-gitops-operator.v1.7.0

Additional info (Such as Logs, Screenshots, etc):

Finding related to a Security review done on the OpenShift Container Platform 4 - Platform

mentioned on

Merge request - Updated 3 upstream sources

Details

Description

Description of problem:

Prerequisites (if any, like setup, operators/versions):

Steps to Reproduce

Actual results:

Expected results:

Reproducibility (Always/Intermittent/Only Once):

Build Details:

Additional info (Such as Logs, Screenshots, etc):

Attachments

Issue Links

Activity

People

Dates