Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.14.0
Component/s: Cloud Compute / Cloud Controller Manager
Labels:
None

Test Link:
https://polarion.engineering.redhat.com/polarion/redirect/project/OSE/workitem?id=OCP-75943
Regression:
No
Sprint:
CLOUD Sprint 258
sprint_count:
1
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Previously, the cloud node manager had permission to update any node object, however, only needed to be able to update the node on which it was running. Following the principles of least privilege, restrictions have been put in place to prevent the node manager from one node, updating the node object of another node

Show
Previously, the cloud node manager had permission to update any node object, however, only needed to be able to update the node on which it was running. Following the principles of least privilege, restrictions have been put in place to prevent the node manager from one node, updating the node object of another node
Release Note Type:
Bug Fix
Release Note Status:
In Progress
Target Version:

4.18.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

The Azure cloud node manager uses a service account with a cluster role attached that provides it with cluster wide permissions to update Node objects.

This means, were the service account to become compromised, Node objects could be maliciously updated.

To limit the blast radius of a leak, we should determine if there is a way to limit the Azure Cloud Node Manager to only be able to update the node on which it resides, or, to move it's functionality centrally within the cluster.

Possible paths:
* Check upstream progress for any attempt to move the node manager role into the CCM
* See if we can re-use kubelet credentials as these are already scoped to updating only the Node on which they reside
* See if there's another admission control method we can use to limit the updates (possibly https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/)

Version-Release number of selected component (if applicable):

4.14.0

How reproducible:

Always

Steps to Reproduce:

1.
2.
3.

Actual results:

Expected results:

Additional info:

links to

openshift/cluster-cloud-controller-manager-operator#363: OCPBUGS-22190: Add Node Admission restriction for Azure node Manager

RHEA-2024:6122 OpenShift Container Platform 4.18.z bug fix update

Assignee:: Joel Speed

Reporter:: Joel Speed

QA Contact:: Zhaohua Sun

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2023/10/20 10:05 AM

Updated:: 2024/10/14 9:56 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates