Bug 1879406

Summary:	CSI driver liveness probe should not be accessible from outside
Product:	OpenShift Container Platform	Reporter:	Jan Safranek <jsafrane>
Component:	Storage	Assignee:	Jan Safranek <jsafrane>
Storage sub component:	Operators	QA Contact:	Qin Ping <piqin>
Status:	CLOSED ERRATA	Docs Contact:
Severity:	medium
Priority:	unspecified	CC:	aos-bugs
Version:	4.6
Target Milestone:	---
Target Release:	4.6.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-10-27 16:41:19 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Safranek 2020-09-16 08:47:14 UTC

OCP AWS EBS and oVirt CSI drivers use "hostNetwork: true" and at the same time they use port 9808 for their liveness probes. Since range 9000 - 9999 is required to be accessible "All machines to all machines" in our docs [1], the liveness probe is accessible from all machines, which is not really wanted. Liveness probe should be accessible from the host only.

1: https://github.com/openshift/openshift-docs/blob/master/modules/installation-network-user-infra.adoc

Comment 1 Jan Safranek 2020-09-24 08:49:53 UTC

Enhancement with port allocation has been merged: https://github.com/openshift/enhancements/pull/479
Trying to catch 4.6

Comment 3 Qin Ping 2020-09-25 06:02:40 UTC

Verified with: 4.6.0-0.nightly-2020-09-24-235241

Comment 6 errata-xmlrpc 2020-10-27 16:41:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196