Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29103

HCP CSR Allows Invalid CNs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • 4.16.0
    • 4.16.0
    • HyperShift
    • None
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

          The HCP CSR flow allows any CN in the incoming CSR.

      Version-Release number of selected component (if applicable):

          4.16.0

      How reproducible:

          Using the CSR flow, any name you add to the CN in the CSR will be your username against the Kubernetes API server - check your username using the SelfSubjectRequest API (kubectl auth whoami)

      Steps to Reproduce:

          1.create CSR with CN=whatever
          2.CSR signed, create kubeconfig
          3.using kubeconfig, kubectl auth whoami should show whatever CN
          

      Actual results:

          any CN in CSR is the username against the cluster

      Expected results:

          we should only allow CNs with some known prefix (system:customer-break-glass:...)

      Additional info:

          

       

              skuznets@redhat.com Steve Kuznetsov (Inactive)
              skuznets@redhat.com Steve Kuznetsov (Inactive)
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: