-
Bug
-
Resolution: Done-Errata
-
Undefined
-
4.16.0
-
None
Description of problem:
The HCP CSR flow allows any CN in the incoming CSR.
Version-Release number of selected component (if applicable):
4.16.0
How reproducible:
Using the CSR flow, any name you add to the CN in the CSR will be your username against the Kubernetes API server - check your username using the SelfSubjectRequest API (kubectl auth whoami)
Steps to Reproduce:
1.create CSR with CN=whatever 2.CSR signed, create kubeconfig 3.using kubeconfig, kubectl auth whoami should show whatever CN
Actual results:
any CN in CSR is the username against the cluster
Expected results:
we should only allow CNs with some known prefix (system:customer-break-glass:...)
Additional info:
- blocks
-
OCPBUGS-29310 HCP CSR Allows Invalid CNs
- Closed
- is cloned by
-
OCPBUGS-29310 HCP CSR Allows Invalid CNs
- Closed
- links to
-
RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update