-
Bug
-
Resolution: Unresolved
-
Undefined
-
4.14.z
-
Moderate
-
No
-
False
-
-
Release Note Not Required
-
In Progress
Description of problem:
gatewayConfig.ipForwarding allows any invalid value but it should enforce "", "Restricted" or "Global"
You can currently even do really funky stuff with that:
oc edit network.operator/cluster (...) 15 spec: 16 clusterNetwork: 17 - cidr: 10.128.0.0/14 18 hostPrefix: 23 19 - cidr: fd01::/48 20 hostPrefix: 64 21 defaultNetwork: 22 ovnKubernetesConfig: 23 egressIPConfig: {} 24 gatewayConfig: 25 ipForwarding: $(echo 'Im injected'; lscpu)
$ oc get pods -n openshift-ovn-kubernetes ovnkube-node-24628 -o yaml | grep sysctl -C5
fi
# If IP Forwarding mode is global set it in the host here.
ip_forwarding_flag=
if [ "$(echo 'Im injected'; lscpu)" == "Global" ]; then
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
else
ip_forwarding_flag="--disable-forwarding"
fi
NETWORK_NODE_IDENTITY_ENABLE=
$ oc logs -n openshift-ovn-kubernetes ovnkube-node-24628 -c ovnkube-controller | grep inje -A5 ++ echo 'Im injected' ++ lscpu + '[' 'Im injected Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Address sizes: 46 bits physical, 57 bits virtual Byte Order: Little Endian CPU(s): 112
I wouldn't consider this a security issue, because I have to be the admin to do that, and as the admin I can also simply modify the pod, but it's not very elegant to allow for some sort of code injection, even by the admin
