Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44611

[AWS] Node SG - Inbound rule access from 0.0.0.0/0 for node port range 30000-32767

XMLWordPrintable

    • Important
    • Yes
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required
    • Done

      This is a clone of issue OCPBUGS-43048. The following is the description of the original issue:

      Description of problem:

      When deploying 4.16, customer identified an inbound rule security risk for the "node" security group allowing access from 0.0.0.0/0 to node port range 30000-32767.
      This issue did not exist in versions prior to 4.16 and suspect this may be a regression.  It seems to be related to the use of CAPI which could have changed the behavior.  
      Trying to understand why this was allowed.

      Version-Release number of selected component (if applicable):

      4.16

      How reproducible:

        

      Steps to Reproduce:

          1. Install 4.16 cluster
      
      *** On 4.12 installations, this is not the case ***
          

      Actual results:

      The installer configures an inbound rule for the node security group allowing access from 0.0.0.0/0 for port range 30000-32767.     

      Expected results:

      The installer should *NOT* create an inbound security rule allowing access to node port range 30000-32767 from any CIDR range (0.0.0.0/0)

      Additional info:

      #forum-ocp-cloud slack discussion:
      https://redhat-internal.slack.com/archives/CBZHF4DHC/p1728484197441409

      Relevant Code :

      https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/v2.4.0/pkg/cloud/services/securitygroup/securitygroups.go#L551

              rdossant Rafael Fonseca dos Santos
              openshift-crt-jira-prow OpenShift Prow Bot
              Yunfei Jiang Yunfei Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: