Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: RHODS_1.5.0_GA
Affects Version/s: None
Component/s: Install Upgrade Uninstall
Labels:
- eng
- groomed

Story Points:
2
Blocked:
False
Ready:
False
Automated:
No
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Fixed in Build:
1.5.0.4
Regression:
No
Target Release:

RHODS_1.5.0_GA
Test Blocker:
No
Test Coverage:

Yes
Watchlist Impact:
None
Git Pull Request:
https://github.com/red-hat-data-services/opendatahub-operator/pull/117
Market:
Test Link:
https://ODS-1068

Sprint:
MODH Sprint 36

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

The kfdef RHODS controller is deleting APIServices by index, if their condition is False: https://github.com/red-hat-data-services/opendatahub-operator/blob/336ece83898129541dd94067cd44528bce7f8f06/pkg/controller/kfdef/kfdef_controller.go#L630-L651.

As the rhods-operator workload runs with elevated privileges (https://gitlab.cee.redhat.com/service/managed-tenants-bundles/-/blob/main/addons/rhods/main/1.3.0-6/manifests/rhods-operator.1.3.0-6.clusterserviceversion.yml#L53) this piece of code can potentially delete any OCP APIService, and break the cluster.

MTSRE requirements:

The ask would be twofold:

Modify the cleanup code to only impact RHODS managed APIServices
Restrict CSV permissions to least privileged (this is a best effort as we are figuring out what our allow-list or criterias will be)

Assignee:: Vaishnavi Hire

Reporter:: Samuel Blais-Dowdy (Inactive)

QA Contact:: Tarun Kumar

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2021/12/09 3:04 PM

Updated:: 2023/02/17 9:19 PM

Resolved:: 2022/01/06 7:27 PM