Bug 1786477

Summary: non-namespaced cr NetworkAddonsConfig is owned by namespaced cr HCO
Product: Container Native Virtualization (CNV) Reporter: Asher Shoshan <ashoshan>
Component: NetworkingAssignee: omergi
Status: CLOSED ERRATA QA Contact: Yan Du <yadu>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 2.2.0CC: cnv-qe-bugs, danken, mrashish, ncredi, stirabos
Target Milestone: ---   
Target Release: 2.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: hco-bundle-registry-container-v2.2.0-225 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-30 16:27:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Asher Shoshan 2019-12-25 15:46:47 UTC 
HCO Operator in namespace openshift-cnv is triggered by cr 'hyperconverged-cluster' (kind HCO) creates non-namespaced cr 'cluster' (kind NetworkAddonsConfig).
hyperconverged-cluster (namespaced) is the owner of 'cluster' (non-namespaced).
This cross-namespace ownership may lead to GC deletions of resources.

See
Bug 1693905 (CVE-2019-3884) - CVE-2019-3884 atomic-openshift:
cross-namespace owner references can trigger deletions of valid children


Version-Release number of selected component (if applicable):
2.2.0

How reproducible:


Steps to Reproduce:
1. install CNV
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Meni Yakove 2020-01-08 09:49:31 UTC 
To verify:

1. install CNV
2. Make sure all network-related components were installed.
3. Remove HCO CRd.
4. Make sure all network components besides the network addon operator and the network addon CRDs were removed.
Comment 2 Yan Du 2020-01-13 06:48:43 UTC 
Client Version: 4.3.0-0.nightly-2020-01-08-181129
Server Version: 4.3.0-0.nightly-2020-01-08-181129
Kubernetes Version: v1.16.2
CNV 2.2

After removing hco crd, all the network components resources including the network addon crds are all removed.
Comment 3 Maya Rashish 2020-01-13 08:34:05 UTC 
(In reply to Yan Du from comment #2)
> After removing hco crd, all the network components resources including the
> network addon crds are all removed.

I believe this is behaviour we want to keep.

The flaw is that it used to be done via ownerReferences.
(`kubectl get NetworkAddonsConfig -o yaml | grep -C 5 ownerReferences`)

The ownerReferences weren't legal (cluster scoped object owned by namespaced object).
Because of this, the deletion might happen when the garbage collector runs. That is, without any user interaction.
Comment 5 errata-xmlrpc 2020-01-30 16:27:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:0307