Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: 4.16.0
Affects Version/s: 4.16.0
Component/s: HyperShift
Labels:
None

Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.16.0
Target Backport Versions:

4.15.z

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

    The HCP CSR flow allows any CN in the incoming CSR.

Version-Release number of selected component (if applicable):

    4.16.0

How reproducible:

    Using the CSR flow, any name you add to the CN in the CSR will be your username against the Kubernetes API server - check your username using the SelfSubjectRequest API (kubectl auth whoami)

Steps to Reproduce:

    1.create CSR with CN=whatever
    2.CSR signed, create kubeconfig
    3.using kubeconfig, kubectl auth whoami should show whatever CN

Actual results:

    any CN in CSR is the username against the cluster

Expected results:

    we should only allow CNs with some known prefix (system:customer-break-glass:...)

Additional info:

Attachments

Issue Links

blocks

OCPBUGS-29310 HCP CSR Allows Invalid CNs

Closed

is cloned by

OCPBUGS-29310 HCP CSR Allows Invalid CNs

Closed

links to

openshift/hypershift#3538: OCPBUGS-29103: control-plane-pki-operator: validate CN for CSR

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

Activity

People

Assignee:: Steve Kuznetsov

Reporter:: Steve Kuznetsov

QA Contact:: Jie Zhao

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2024/02/06 3:30 PM

Updated:: 2024/02/27 8:23 AM