Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-14969

HCP Service Loadbalancer uses default SecurityGroup

XMLWordPrintable

    • No
    • Hypershift Sprint 238
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      When an HCP Service LB is created, for example for an IngressController, the CAPA controller calls ModifyNetworkInterfaceAttribute. It references the default security group for the VPC in addition to the security group created for the cluster ( with the right tags). Ideally, the LBs (and any other HCP components) should not be using the default VPC SecurityGroup

      Version-Release number of selected component (if applicable):

      All 4.12 and 4.13

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create HCP
2. Wait for Ingress to come up.
3. Look in CloudTrail for ModifyNetworkInterfaceAttribute, and see default security group referenced

      Actual results:

      Default security group is used

      Expected results:

      Default security group should not be used

      Additional info:

      This is problematic as we are attempting to scope our AWS permissions as small as possible. The goal is to only use resources that are tagged with `red-hat-managed: true` so that our IAM Policies can conditioned to only access these resources. Using the Security Group created for the cluster should be sufficient, and the default Security Group does not need to be used, so if the usage can be removed here, we can secure our AWS policies that much better. Similar to OCPBUGS-11894

              agarcial@redhat.com Alberto Garcia Lamela
              tfahlman Taylor Fahlman
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: