Bug 1291963 (CVE-2015-7561)

Summary: CVE-2015-7561 OpenShift3: Private Docker images can be used by any user, once they are pulled to a node
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agoldste, bleanhar, ccoleman, dmcphers, jialiu, jkeck, jokerman, kseifried, lmeyer, mmccomas, tjay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-01 23:52:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1288094    
Bug Blocks: 1291965    

Description Kurt Seifried 2015-12-16 04:50:57 UTC 
Miheer Salunke of Red Hat reports:

When a private image is pulled to a node any other user on the node can use 
this private image if they know the name of the image. It should be noted that 
the image name typically includes a SHA hash in the value making it difficult
to guess.
Comment 1 Trevor Jay 2016-09-06 23:54:43 UTC 
Clayton,

Doing some follow-up, can you (or anyone really) point me at a commit for this?

_Trevor
Comment 2 Andy Goldstein 2016-11-01 19:05:25 UTC 
Kube PR for AlwaysPullImages admission controller: https://github.com/kubernetes/kubernetes/pull/18909

Kube Docs: http://kubernetes.io/docs/admin/admission-controllers/#alwayspullimages

Example showing how to enable it in OpenShift config: https://docs.openshift.com/container-platform/3.3/architecture/additional_concepts/admission_controllers.html