-
Bug
-
Resolution: Not a Bug
-
Minor
-
None
-
4.11
-
Low
-
None
-
False
-
Description of problem:
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.11.20 True False 41h Cluster version is 4.11.20
$ oc get ClusterRoleBinding system:controller:horizontal-pod-autoscaler -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2023-01-11T13:09:19Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:controller:horizontal-pod-autoscaler
resourceVersion: "11422"
uid: 92b4ece6-3554-4348-a465-598714c3f260
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:horizontal-pod-autoscaler
subjects:
- kind: ServiceAccount
name: horizontal-pod-autoscaler
namespace: kube-system
- kind: ServiceAccount
name: horizontal-pod-autoscaler
namespace: openshift-infra
$ oc get sa horizontal-pod-autoscaler -n kube-system
NAME SECRETS AGE
horizontal-pod-autoscaler 2 44h
$ oc get sa horizontal-pod-autoscaler -n openshift-infra
Error from server (NotFound): serviceaccounts "horizontal-pod-autoscaler" not found
The serviceAccount horizontal-pod-autoscaler in openshift-infra namespace does not exist and therefore should not be referenced in the ClusterRoleBinding.
From Security point of view, it's recommended to remove non existig serviceAccounts from ClusterRoleBindings as a potential attacker could abuse the current state by creating the necessary serviceAccount and gain undesired permissions.
Version-Release number of selected component (if applicable):
OpenShift Container Platform 4 (all version from what we have found)
How reproducible:
Always
Steps to Reproduce:
1. Install OpenShift Container Platform 4 2. Run oc get ClusterRoleBinding system:controller:horizontal-pod-autoscaler -o yaml
Actual results:
$ oc get ClusterRoleBinding system:controller:horizontal-pod-autoscaler -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: "2023-01-11T13:09:19Z" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:controller:horizontal-pod-autoscaler resourceVersion: "11422" uid: 92b4ece6-3554-4348-a465-598714c3f260 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:controller:horizontal-pod-autoscaler subjects: - kind: ServiceAccount name: horizontal-pod-autoscaler namespace: kube-system - kind: ServiceAccount name: horizontal-pod-autoscaler namespace: openshift-infra
Expected results:
$ oc get ClusterRoleBinding system:controller:horizontal-pod-autoscaler -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: "2023-01-11T13:09:19Z" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:controller:horizontal-pod-autoscaler resourceVersion: "11422" uid: 92b4ece6-3554-4348-a465-598714c3f260 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:controller:horizontal-pod-autoscaler subjects: - kind: ServiceAccount name: horizontal-pod-autoscaler namespace: kube-system
Additional info:
Finding related to a Security review done on the OpenShift Container Platform 4 - Platform
