Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38245

AllowedCIDRBlocks is not enforced on PrivateLink AWS clusters

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

          The .spec.networking.apiServer.allowedCIDRBlocks field in a HostedCluster allows specifying which CIDR blocks are allowed to access the API server. Currently this only works on Public AWS clusters. PublicAndPrivate and Private clusters do not honor this setting.

      Version-Release number of selected component (if applicable):

          4.17

      How reproducible:

          Always

      Steps to Reproduce:

          1. Create an AWS HostedCluster with PublicAndPrivate access and specify the allowedCIDRBlocks field.
    2. Wait for the cluster to come up.
    3.

      Actual results:

          I can access the cluster from a non-allowed IP

      Expected results:

          I cannot access the cluster from a non-allowed IP

      Additional info:

          Currently only when the KAS is exposed via its own LoadBalancer is the load balancer configured with allowed CIDR blocks. In the case of PublicAndPrivate and Private clusters, the external LoadBalancer is the router loadbalancer which is not configured with allowed CIDR blocks.

              agarcial@redhat.com Alberto Garcia Lamela
              cewong@redhat.com Cesar Wong
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: