Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1378

Reduced the permissions for anonymous users and groups

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 0% To Do, 0% In Progress, 100% Done
    • 0
    • Program Call

      Feature Overview (aka. Goal Summary)  

      RedHat allows following roles for system:anonymous user and system:unauthenticated group: 

      oc get clusterrolebindings -o json | jq '.items[] | select(.subjects[]?.kind

      == "Group" and .subjects[]?.name == "system:unauthenticated") |

      .metadata.name' | uniq

      Returns what unauthenticated users can do, which is the following:

      "self-access-reviewers"

      "system:oauth-token-deleters"

      "system:openshift:public-info-viewer"

      "system:public-info-viewer"

      "system:scope-impersonation"

      "system:webhooks"

      Customers would like to minimize the allowed permissions to unauthenticated groups and users. 

      It was determined after initial analysis that following roles are necessary for OIDC access and version information and will not change   

      "system:openshift:public-info-viewer"

      "system:public-info-viewer"

       

      Workaround available: Gating the access with policy engines 

      Expected: Minimize the allowed roles for unauthenticated access 

      Goals (aka. expected user outcomes)

      Reduce use of cluster-wide permissions for system:anonymous user and  system:unauthenticated group for following roles

      "self-access-reviewers"

      "system:oauth-token-deleters"

      "system:scope-impersonation"

      "system:webhooks"

       

      Requirements (aka. Acceptance Criteria):

      Customers would like to minimize the allowed permissions to unauthenticated groups and users. 

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both  
      Classic (standalone cluster) Yes
      Hosted control planes tbd
      Multi node, Compact (three node), or Single node (SNO), or all  
      Connected / Restricted Network  
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x)  
      Operator compatibility  
      Backport needed (list applicable versions)  
      UI need (e.g. OpenShift Console, dynamic plugin, OCM)  
      Other (please specify)  

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

      <your text here>

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

      <your text here>

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

      It was determined that following roles will not change

      "system:openshift:public-info-viewer"

      "system:public-info-viewer"

       

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

      Many security teams have flagged anonymous access on apiserver as a security risk. Reducing the permissions granted at cluster level helps in hardening access to apiserver. 

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

      This feature should not impact upgrade from previous versions. 

      This feature will allow enabling the new functionality for fresh installs. 

       

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.

      Impact to existing usecases should be documented 

      Interoperability Considerations

      Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

      <your text here>

              atelang@redhat.com Anjali Telang
              atelang@redhat.com Anjali Telang
              Krzysztof Ostrowski Krzysztof Ostrowski
              Deepak Punia Deepak Punia (Inactive)
              Andrea Hoffer Andrea Hoffer
              David Eads David Eads
              Anjali Telang Anjali Telang
              Eric Rich Eric Rich
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: