Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: 4.14.0
Affects Version/s: 4.14
Component/s: Cloud Compute / Nutanix Provider
Labels:
None

Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

The CCMs at the moment are given RBAC permissions of "get, list, watch" on secrets across all namespaces. This was a security concern raised by the OpenShift Security team. 

In Nutanix CCM, it currently creates a secrets informer and a configmaps informer at the cluster scope, these are then passed into the NewProvider call for the prism environment. Within the prism environment, the configmap and secret informers are used once each, and only to list a single namespace. We should modify the informers creation to limit to just the namespaces required? This would reduce the scope of RBAC required and meet the OpenShift security requirements.

Version-Release number of selected component (if applicable):

How reproducible:

Always

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Attachments

Issue Links

links to

openshift/cloud-provider-nutanix#17: OCPBUGS-17054: Nutanix CCM should scope secret informers per namespace

RHSA-2023:5006 OpenShift Container Platform 4.14.z security update

Activity

People

Assignee:: Yanhua Li

Reporter:: Yanhua Li

QA Contact:: Huali Liu

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2023/07/28 5:47 PM

Updated:: 2023/10/31 1:39 PM

Resolved:: 2023/10/31 1:39 PM