-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.11
-
Quality / Stability / Reliability
-
False
-
-
None
-
Low
-
None
-
None
-
None
-
Auth - Sprint 241, Auth - Sprint 242
-
2
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.11.20 True False 43h Cluster version is 4.11.20
$ oc get clusterrolebinding system:openshift:controller:service-serving-cert-controller -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2023-01-11T13:19:24Z"
name: system:openshift:controller:service-serving-cert-controller
resourceVersion: "11410"
uid: 8b3e8c56-9f25-4f89-9159-5300585cc129
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:controller:service-serving-cert-controller
subjects:
- kind: ServiceAccount
name: service-serving-cert-controller
namespace: openshift-infra
$ oc get sa service-serving-cert-controller -n openshift-infra
Error from server (NotFound): serviceaccounts "service-serving-cert-controller" not found
The serviceAccount service-serving-cert-controller does not exist. Neither in openshift-infra nor in any other namespace.
It's therefore not clear what this ClusterRoleBinding does, what use-case it does fulfill and why it references non existing serviceAccount.
From Security point of view, it's recommended to remove non serviceAccounts from ClusterRoleBindings as a potential attacker could abuse the current state by creating the necessary serviceAccount and gain undesired permissions.
Version-Release number of selected component (if applicable):
OpenShift Container Platform 4 (all version from what we have found)
How reproducible:
Always
Steps to Reproduce:
1. Install OpenShift Container Platform 4 2. Run oc get clusterrolebinding system:openshift:controller:service-serving-cert-controller -o yaml
Actual results:
$ oc get clusterrolebinding system:openshift:controller:service-serving-cert-controller -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2023-01-11T13:19:24Z"
name: system:openshift:controller:service-serving-cert-controller
resourceVersion: "11410"
uid: 8b3e8c56-9f25-4f89-9159-5300585cc129
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:controller:service-serving-cert-controller
subjects:
- kind: ServiceAccount
name: service-serving-cert-controller
namespace: openshift-infra
$ oc get sa service-serving-cert-controller -n openshift-infra
Error from server (NotFound): serviceaccounts "service-serving-cert-controller" not found
Expected results:
The serviceAccount called service-serving-cert-controller to exist or otherwise the ClusterRoleBinding to be removed.
Additional info:
Finding related to a Security review done on the OpenShift Container Platform 4 - Platform
- links to
-
RHSA-2023:5006
OpenShift Container Platform 4.14.z security update
