-
Bug
-
Resolution: Done
-
Blocker
-
1.4.1, 1.2.0, 1.3.0, 1.4.0
-
None
-
Serverless Sprint 175, Serverless Sprint 181, Serverless Sprint 182
Description
- As all ksvc's metrics are exposed via autoscaler and controller svc, anyone can list all ksvc running on the cluster by hitting the svc endpoint.
- This is not a problem for single tenant k8s users, but it is problematic for multi tenant users.
Streps to produce
- Run a pod in arbitrary namespace
- Curl from the pod to controller's or autoscaller's metrics endpoint.
$ oc rsh <ANY POD> # curl controller.knative-serving.svc:9090/metrics # curl autoscaler.knative-serving.svc:9090/metrics
Result
We can get the list of ksvc running on the cluster with the metrics info.
autoscaler_reconcile_latency_bucket{key="serving-tests/hello-example-bcwzf",reconciler="KPA-Class Autoscaling",success="true",le="10"}
autoscaler_reconcile_latency_bucket{key="default/hello-example-68zcn",reconciler="KPA-Class Autoscaling",success="true",le="100"}
...
Workaround
- Use ovs-multitenant plugin's access controller feature. However, we still need accessibility between knative-serving ns and user's ns.
- Deploy knative serving on random namespace, though it is not possible with K-S-O.
- is related to
-
SRVKS-206 Add NetworkPolicy entities
-
- Closed
-
