Details
-
Bug
-
Resolution: Done-Errata
-
Blocker
-
4.13, 4.12
-
No
-
Hypershift Sprint 238
-
1
-
Proposed
-
False
-
Description
Description of problem:
When an HCP Service LB is created, for example for an IngressController, the CAPA controller calls ModifyNetworkInterfaceAttribute. It references the default security group for the VPC in addition to the security group created for the cluster ( with the right tags). Ideally, the LBs (and any other HCP components) should not be using the default VPC SecurityGroup
Version-Release number of selected component (if applicable):
All 4.12 and 4.13
How reproducible:
100%
Steps to Reproduce:
1. Create HCP 2. Wait for Ingress to come up. 3. Look in CloudTrail for ModifyNetworkInterfaceAttribute, and see default security group referenced
Actual results:
Default security group is used
Expected results:
Default security group should not be used
Additional info:
This is problematic as we are attempting to scope our AWS permissions as small as possible. The goal is to only use resources that are tagged with `red-hat-managed: true` so that our IAM Policies can conditioned to only access these resources. Using the Security Group created for the cluster should be sufficient, and the default Security Group does not need to be used, so if the usage can be removed here, we can secure our AWS policies that much better. Similar to OCPBUGS-11894
Attachments
Issue Links
- blocks
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to
-
RHSA-2023:5006
OpenShift Container Platform 4.14.z security update
