Loading...

Type: Feature Request
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: openshift-4.16, openshift-4.17
Component/s: API
Labels:
- api

Target Version:
None
Activity Type:
Future Sustainability
Status Summary:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:
None
Hierarchy Progress Bar:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Impact Score:
PX Impact Range:
None
PX Priority Data:
None
PX Technical Impact:
None
PX Technical Impact Notes:
None
PX Scheduling Request:
None

1) What is the nature and description of the request?
Accessing the OpenShift Console at a deep link like /settings/cluster/ returns HTTP 200 OK with the full static HTML and JavaScript content of the console frontend, even without any authentication.
Customers find this to be misleading and may present a false sense of accessibility or security risk when probing the endpoint using tools like curl or automated health checks.
They are not sure if the return response is important , but the endpoints always gives 200OK

# curl https://console-openshift-console.apps.ext.csp.bop/settings/cluster (⎈|dev-jabba:csp-public-monitoring) <!DOCTYPE html> <html lang="en" class="no-js"> <head> <base href="/" /> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <title>bop.PROD Console</title> <meta name="application-name" content="bop.PROD Console" /> <meta name="description" content="" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <script type="text/javascript"> window.SERVER_FLAGS = {"addPage":"{}","alertManagerBaseURL":"/api/alertmanager","alertManagerPublicURL":"","alertmanagerUserWorkloadBaseURL":"/api/alertmanager-user-workload","authDisabled":false,"basePath":"/","branding":"ocp","consolePlugins":["odf-console","monitoring-plugin"],"consoleVersion":"v6.0.6-23189-g4a7dc548a3","controlPlaneTopology":"HighlyAvailable","copiedCSVsDisabled":false,"customLogoURL":"/custom-logo","customProductName":"bop.PROD Console","developerCatalogCategories":"","developerCatalogTypes":"","documentationBaseURL":"https://access.redhat.com/documentation/en-us/openshift_container_platform/4.16/","GOARCH":"amd64","GOOS":"linux","grafanaPublicURL":"","graphqlBaseURL":"/api/graphql","i18nNamespaces":[],"inactivityTimeout":0,"kubeAdminLogoutURL":"https://oauth-openshift.apps.ext.csp.bop/logout","kubeAPIServerURL":"https://api.ext.csp.bop:6443","loadTestFactor":0,"loginErrorURL":"https://console-openshift-console.apps.ext.csp.bop/auth/error","loginSuccessURL":"https://console-openshift-console.apps.ext.csp.bop/","loginURL":"https://console-openshift-console.apps.ext.csp.bop/auth/login","logoutRedirect":"","logoutURL":"/api/console/logout","nodeArchitectures":["amd64"],"nodeOperatingSystems":["linux"],"perspectives":"","projectAccessClusterRoles":"","prometheusBaseURL":"/api/prometheus","prometheusPublicURL":"","prometheusTenancyBaseURL":"/api/prometheus-tenancy","quickStarts":"","releaseVersion":"4.16.40","statuspageID":"","telemetry":{"CLUSTER_ID":"c4393185-c741-4727-a534-b3ca9c5d2327","SEGMENT_API_HOST":"console.redhat.com/connections/api/v1","SEGMENT_JS_HOST":"console.redhat.com/connections/cdn","SEGMENT_PUBLIC_API_KEY":"BnuS1RP39EmLQjP21ko67oDjhbl9zpNU","TELEMETER_CLIENT_DISABLED":"true"},"thanosPublicURL":"","userSettingsLocation":"configmap","k8sMode":"in-cluster"}; let theme = localStorage.getItem('bridge/theme') || 'systemDefault'; if (theme === 'systemDefault' && window.matchMedia('(prefers-color-scheme: dark)').matches) { theme = 'dark'; } if (theme === 'dark') { document.documentElement.classList.add('pf-v5-theme-dark', 'pf-theme-dark'); } </script> <link href="static/app-bundle.main.7c7cfe8e1a7a5a09994b.css" rel="stylesheet"><link href="static/app-bundle.vendor-patternfly-4-shared.8650cd467c20c8d57dac.css" rel="stylesheet"><link href="static/app-bundle.vendor-patternfly-5~main.19ecb914756f83b38404.css" rel="stylesheet"><link href="static/app-bundle.vendors~main.69d4596882943af59dae.css" rel="stylesheet"></head> <body class="pf-m-redhat-font"> <noscript>JavaScript must be enabled.</noscript> <div id="popper-container"></div> <div id="app"></div> <script type="text/javascript" src="static/runtime-bundle-b7b32770b201d23a8db5.min.js"></script><script type="text/javascript" src="static/main-chunk-7df73c9895c7e86b887d.min.js"></script><script type="text/javascript" src="static/vendor-patternfly-4-shared~main-chunk-3fe83de7ae8a348699c7.min.js"></script><script type="text/javascript" src="static/vendor-patternfly-5~main-chunk-494dd6f935980236eb86.min.js"></script><script type="text/javascript" src="static/vendor-plugins-shared~main-chunk-90cde18d83872b01891c.min.js"></script><script type="text/javascript" src="static/vendors~main-chunk-018bd846c988631ecc6b.min.js"></script></body> </html> 


# curl https://console-openshift-console.apps.qa.ext.csp.bop/settings/cluster (⎈|dev-jabba:csp-public-monitoring) <!DOCTYPE html> <html lang="en" class="no-js"> <head> <base href="/" /> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /> <title>bop.QA Console</title> <meta name="application-name" content="bop.QA Console" /> <meta name="description" content="" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <script type="text/javascript"> window.SERVER_FLAGS = {"addPage":"{}","alertManagerBaseURL":"/api/alertmanager","alertManagerPublicURL":"","alertmanagerUserWorkloadBaseURL":"/api/alertmanager-user-workload","authDisabled":false,"basePath":"/","branding":"ocp","consolePlugins":["gitops-plugin","monitoring-plugin","networking-console-plugin","odf-console","qa-solo-gpus-console-plugin-console-plugin-nvidia-gpu","veeam-kasten-console-plugin"],"consoleVersion":"v6.0.6-23438-ge3810ed100","controlPlaneTopology":"HighlyAvailable","copiedCSVsDisabled":false,"customLogoURL":"/custom-logo","customProductName":"bop.QA Console","developerCatalogCategories":"","developerCatalogTypes":"{\"state\":\"Enabled\"}","documentationBaseURL":"https://access.redhat.com/documentation/en-us/openshift_container_platform/4.17/","GOARCH":"amd64","GOOS":"linux","grafanaPublicURL":"","graphqlBaseURL":"/api/graphql","i18nNamespaces":["plugin__gitops-plugin","plugin__networking-console-plugin"],"inactivityTimeout":0,"kubeAdminLogoutURL":"https://oauth-openshift.apps.qa.ext.csp.bop/logout","kubeAPIServerURL":"https://api.qa.ext.csp.bop:6443","loadTestFactor":0,"loginErrorURL":"https://console-openshift-console.apps.qa.ext.csp.bop/auth/error","loginSuccessURL":"https://console-openshift-console.apps.qa.ext.csp.bop/","loginURL":"https://console-openshift-console.apps.qa.ext.csp.bop/auth/login","logoutRedirect":"","logoutURL":"/api/console/logout","nodeArchitectures":["amd64"],"nodeOperatingSystems":["linux"],"perspectives":"","projectAccessClusterRoles":"","prometheusBaseURL":"/api/prometheus","prometheusPublicURL":"","prometheusTenancyBaseURL":"/api/prometheus-tenancy","quickStarts":"","releaseVersion":"4.17.25","statuspageID":"","telemetry":{"CLUSTER_ID":"2e2e19ec-6f53-4460-8930-cca9b9aabf4a","SEGMENT_API_HOST":"console.redhat.com/connections/api/v1","SEGMENT_JS_HOST":"console.redhat.com/connections/cdn","SEGMENT_PUBLIC_API_KEY":"BnuS1RP39EmLQjP21ko67oDjhbl9zpNU","TELEMETER_CLIENT_DISABLED":"true"},"thanosPublicURL":"","userSettingsLocation":"configmap","k8sMode":"in-cluster","capabilities":[]}; let theme = localStorage.getItem('bridge/theme') || 'systemDefault'; if (theme === 'systemDefault' && window.matchMedia('(prefers-color-scheme: dark)').matches) { theme = 'dark'; } if (theme === 'dark') { document.documentElement.classList.add('pf-v5-theme-dark', 'pf-theme-dark'); } </script> <link href="static/app-bundle.main.7af4a23d82a4d4afad9b.css" rel="stylesheet"><link href="static/app-bundle.vendor-patternfly-4-shared.8650cd467c20c8d57dac.css" rel="stylesheet"><link href="static/app-bundle.vendor-patternfly-5~main.84f47635ef6d1c3da46d.css" rel="stylesheet"><link href="static/app-bundle.vendors~main.69d4596882943af59dae.css" rel="stylesheet"></head> <body class="pf-m-redhat-font"> <noscript>JavaScript must be enabled.</noscript> <div id="popper-container"></div> <div id="app"></div> <script type="text/javascript" src="static/runtime-bundle-69b7a5676063e3393950.min.js"></script><script type="text/javascript" src="static/main-chunk-3b9a70528dcd0323de58.min.js"></script><script type="text/javascript" src="static/vendor-patternfly-4-shared~main-chunk-645fbdb3215b8095f990.min.js"></script><script type="text/javascript" src="static/vendor-patternfly-5~main-chunk-ee956b6849d59e6823ac.min.js"></script><script type="text/javascript" src="static/vendor-plugins-shared~main-chunk-9adf2b70ef90d527cb20.min.js"></script><script type="text/javascript" src="static/vendors~main-chunk-2c01f62ffb67570555f6.min.js"></script></body> </html>

2. Why does the customer need this? (List the business requirements here)
Security Risk
This behavior exposes internal console metadata and UI components (like plugin names, versions, paths, flags) to unauthenticated users.Even if no sensitive data (like tokens) is leaked, the information can help an attacker understand the system, identify software versions, and target specific vulnerabilities (e.g. console plugins or JS libraries).
Non-compliance with Expected Access Controls
Normally, the OpenShift Console should enforce authentication before serving any internal route. Returning 200 OK for protected URLs breaks the principle of least privilege, and may violate enterprise security policies or compliance requirements.

Case : https://access.redhat.com/support/cases/04170148

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates