Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-5825

system:openshift:kube-controller-manager:gce-cloud-provider referencing non existing serviceAccount

XMLWordPrintable

    • Low
    • None
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required
    • In Progress

      Description of problem:

      $ oc get clusterversion
      NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
      version 4.11.20 True False 43h Cluster version is 4.11.20
      
      $ oc get clusterrolebinding system:openshift:kube-controller-manager:gce-cloud-provider -o yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: "2023-01-11T13:16:47Z"
        name: system:openshift:kube-controller-manager:gce-cloud-provider
        resourceVersion: "6079"
        uid: 82a81635-4535-4a51-ab83-d2a1a5b9a473
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: system:openshift:kube-controller-manager:gce-cloud-provider
      subjects:
      - kind: ServiceAccount
        name: cloud-provider
        namespace: kube-system
      
      $ oc get sa cloud-provider -n kube-system
      Error from server (NotFound): serviceaccounts "cloud-provider" not found
      
      The serviceAccount cloud-provider does not exist. Neither in kube-system nor in any other namespace.
      
      It's therefore not clear what this ClusterRoleBinding does, what use-case it does fulfill and why it references non existing serviceAccount.
      
      From Security point of view, it's recommended to remove non serviceAccounts from ClusterRoleBindings as a potential attacker could abuse the current state by creating the necessary serviceAccount and gain undesired permissions.

      Version-Release number of selected component (if applicable):

      OpenShift Container Platform 4 (all version from what we have found)

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install OpenShift Container Platform 4
      2. Run oc get clusterrolebinding system:openshift:kube-controller-manager:gce-cloud-provider -o yaml

      Actual results:

      $ oc get clusterrolebinding system:openshift:kube-controller-manager:gce-cloud-provider -o yaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: "2023-01-11T13:16:47Z"
        name: system:openshift:kube-controller-manager:gce-cloud-provider
        resourceVersion: "6079"
        uid: 82a81635-4535-4a51-ab83-d2a1a5b9a473
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: system:openshift:kube-controller-manager:gce-cloud-provider
      subjects:
      - kind: ServiceAccount
        name: cloud-provider
        namespace: kube-system
      
      $ oc get sa cloud-provider -n kube-system
      Error from server (NotFound): serviceaccounts "cloud-provider" not found

      Expected results:

      The serviceAccount called cloud-provider to exist or otherwise the ClusterRoleBinding to be removed.

      Additional info:

      Finding related to a Security review done on the OpenShift Container Platform 4 - Platform

            rh-ee-tbarberb Theo Barber-Bany
            rhn-support-sreber Simon Reber
            Milind Yadav Milind Yadav
            Jeana Routh Jeana Routh
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: