Details
-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
False
-
-
False
Description
Deploy type
ODH Dashboard UI
Version
RHODS 2.4
Environment
OCP 4.12
Current Behavior
When deploying a DSPA, port 8888 is open and accessible via the service to all other resources on the cluster without authentication.
Currently, port 8443 is secured by an oauth-proxy and forwards traffic to localhost:8888, but since port 8888 is exposed, the oauth-proxy can be bi-passed by any other resource that has access to communicate with the service.
Since port 8888 is exposed, another nefarious resource running on the cluster can ex-filtrate data from any DSPA on the cluster including data and artifacts.
Expected Behavior
Port 8888 and 8887 should not be exposed on the service and the only ports on the pod that should be accessible should be port 8443 which is secured with the oauth proxy.
Steps To Reproduce
- Deploy a DSPA
- Connect to the DSPA via ds-pipeline-pipelines-definition.my-project.svc:8888 from another pod running in any namespace on the cluster without a bearer token
Migrated from GitHub: https://github.com/opendatahub-io/data-science-pipelines-operator/issues/492