Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-4342

The storage account for the CoreOS image is publicly accessible when deploying fully private cluster on Azure

XMLWordPrintable

    • Moderate
    • False
    • Hide

      None

      Show
      None
    • NA (just fixing a regression introduced in 4.12)

      This is a clone of issue OCPBUGS-3524. The following is the description of the original issue:

      Description of problem:

      Install fully private cluster on Azure against 4.12.0-0.nightly-2022-11-10-033725, sa for coreOS image have public access.

      $ az storage account list -g jima-azure-11a-f58lp-rg --query "[].[name,allowBlobPublicAccess]" -o tsv
      clusterptkpx    True
      imageregistryjimaazrsgcc    False
      

      same profile on 4.11.0-0.nightly-2022-11-10-202051, sa for coreos image are not publicly accessible.

      $ az storage account list -g jima-azure-11c-kf9hw-rg --query "[].[name,allowBlobPublicAccess]" -o tsv
      clusterr8wv9    False
      imageregistryjimaaz9btdx    False 

      Checked that terraform-provider-azurerm version is different between 4.11 and 4.12.

      4.11: v2.98.0

      4.12: v3.19.1

      In terraform-provider-azurerm v2.98.0, it use property allow_blob_public_access to manage sa public access, the default value is false.

      In  terraform-provider-azurerm v3.19.1, property allow_blob_public_access is renamed to allow_nested_items_to_be_public , the default value is true. 

      https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md#300-march-24-2022

      Version-Release number of selected component (if applicable):

      4.12.0-0.nightly-2022-11-10-033725

      How reproducible:

      always on 4.12

      Steps to Reproduce:

      1. Install fully private cluster on azure against 4.12 payload
      2. 
      3.
      

      Actual results:

      sa for coreos image is publicly accessible

      Expected results:

      sa for coreos image should not be publicly accessible

      Additional info:

      only happened on 4.12

       

       

            rdossant Rafael Fonseca dos Santos
            openshift-crt-jira-prow OpenShift Prow Bot
            Jinyun Ma Jinyun Ma
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: