Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-5814

ClusterRoleBinding called kube-apiserver references non existing users

XMLWordPrintable

    • Low
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      $ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.20   True        False         41h     Cluster version is 4.11.20

$ oc get clusterrolebinding kube-apiserver -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2023-01-11T13:09:59Z"
  name: kube-apiserver
  resourceVersion: "619"
  uid: 1c264cc6-d179-4032-b13f-4ef2fd6c0d64
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kube-apiserver
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kube-apiserver
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:kube-apiserver

Both users referenced in the Subject don't exist (neither kube-apiserver nor system:kube-apiserver exists).

It's therefore not clear what this ClusterRoleBinding does, what use-case it does fulfill and why it references non existing users.

From Security point of view, it's recommended to remove non existig users from ClusterRoleBindings as a potential attacker could abuse the current state by creating the necessary users and gain undesired permissions.

The ClusterRoleBinding is also part of the master branch in https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/bindata/bootkube/manifests/cluster-role-binding-kube-apiserver.yaml

      Version-Release number of selected component (if applicable):

      OpenShift Container Platform 4 (all version from what we have found)

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install OpenShift Container Platform 4
2. Run oc get clusterrolebinding kube-apiserver -o yaml

      Actual results:

      $ oc get clusterrolebinding kube-apiserver -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2023-01-11T13:09:59Z"
  name: kube-apiserver
  resourceVersion: "619"
  uid: 1c264cc6-d179-4032-b13f-4ef2fd6c0d64
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kube-apiserver
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kube-apiserver
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:kube-apiserver

$ oc get user
No resources found

$ oc get user -A
No resources found
 

      Expected results:

      The users called kube-apiserver and system:kubeapiserver to exist or otherwise the ClusterRoleBinding to be removed.

      Additional info:

      Finding related to a Security review done on the OpenShift Container Platform 4 - Platform

       

            vdinh@redhat.com Vu Dinh
            rhn-support-sreber Simon Reber
            Deepak Punia Deepak Punia
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: