Uploaded image for project: 'Red Hat OpenShift AI Engineering'
  1. Red Hat OpenShift AI Engineering
  2. RHOAIENG-1705

[Bug]: DSPA service endpoint is not secure

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False

    Description

      Deploy type

      ODH Dashboard UI

      Version

      RHODS 2.4

      Environment

      OCP 4.12

      Current Behavior

      When deploying a DSPA, port 8888 is open and accessible via the service to all other resources on the cluster without authentication.

      Currently, port 8443 is secured by an oauth-proxy and forwards traffic to localhost:8888, but since port 8888 is exposed, the oauth-proxy can be bi-passed by any other resource that has access to communicate with the service.

      Since port 8888 is exposed, another nefarious resource running on the cluster can ex-filtrate data from any DSPA on the cluster including data and artifacts.

      Expected Behavior

      Port 8888 and 8887 should not be exposed on the service and the only ports on the pod that should be accessible should be port 8443 which is secured with the oauth proxy.

      Steps To Reproduce

      • Deploy a DSPA
      • Connect to the DSPA via ds-pipeline-pipelines-definition.my-project.svc:8888 from another pod running in any namespace on the cluster without a bearer token

      Migrated from GitHub: https://github.com/opendatahub-io/data-science-pipelines-operator/issues/492

      Attachments

        Activity

          People

            Unassigned Unassigned
            troyer@redhat.com Trevor Royer
            RHOAI Data Science Pipelines
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:

              PagerDuty