Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: 4.14.0
Affects Version/s: 4.14
Component/s: Cloud Compute / Nutanix Provider
Labels:
None

Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

The CCMs at the moment are given RBAC permissions of "get, list, watch" on secrets across all namespaces. This was a security concern raised by the OpenShift Security team. 

In Nutanix CCM, it currently creates a secrets informer and a configmaps informer at the cluster scope, these are then passed into the NewProvider call for the prism environment. Within the prism environment, the configmap and secret informers are used once each, and only to list a single namespace. We should modify the informers creation to limit to just the namespaces required? This would reduce the scope of RBAC required and meet the OpenShift security requirements.

Version-Release number of selected component (if applicable):

How reproducible:

Always

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

links to

openshift/cloud-provider-nutanix#17: OCPBUGS-17054: Nutanix CCM should scope secret informers per namespace

RHSA-2023:5006 OpenShift Container Platform 4.14.z security update

Assignee:: Yanhua Li

Reporter:: Yanhua Li

QA Contact:: Huali Liu

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2023/07/28 5:47 PM

Updated:: 2023/10/31 1:39 PM

Resolved:: 2023/10/31 1:39 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates