Bug 1943219
Summary: | unable to install IPI PRIVATE OpenShift cluster in Azure - SSH access from the Internet should be blocked | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Christopher Wawak <cwawak> |
Component: | Installer | Assignee: | Etienne Simard <esimard> |
Installer sub component: | openshift-installer | QA Contact: | To Hung Sze <tsze> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | medium | ||
Priority: | medium | CC: | esimard, mstaeble, tsze |
Version: | 4.7 | ||
Target Milestone: | --- | ||
Target Release: | 4.8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: Private clusters deployed with IPI on Azure had an inbound NSG rule allowing SSH from any to any.
Consequence: While SSH was not accessible from the Internet, this NSG rule could trigger an Azure security policy.
Fix: Remove the inbound NSG rule for SSH on Azure private clusters.
Result: That type of Azure security policy should not be triggered anymore for allowing SSH on the Internet. SSH is still allowed on the VNET through a default Azure NSG rule as designed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-07-27 22:55:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Christopher Wawak
2021-03-25 15:20:41 UTC
Hello Christopher, When deploying a cluster with the IPI on Azure, a temporary NSG rule is created to allow SSH to the bootstrap node. When you create a private cluster, the rule still exists, but you can't reach the bootstrap from the Internet (even when using the default configuration of "outboundType: Loadbalancer", as only Outbound NAT is enabled). The temporary NSG rule and the Bootstrap machine are destroyed as soon the Bootstrap process is finished. Because no port is exposed to the Internet with a private cluster, you can only SSH to the bootstrap from the internal network. I believe the reason your policy is flagging this is because the temporary NSG rule uses "Any" as the source. Thank you for the feedback, I will investigate how we can improve that NSG rule on private clusters. My customer made the following suggestion:
> As a bug fix would it be possible for the NSG rule to set the source as the VNET since the VNET name is already provided during private cluster installs?
In that case, I suspect instead of being "Any", source as VNET wouldn't trigger at least that customer rule. Something to consider? Thanks!
(In reply to Christopher Wawak from comment #4) > My customer made the following suggestion: > > > As a bug fix would it be possible for the NSG rule to set the source as the VNET since the VNET name is already provided during private cluster installs? > > In that case, I suspect instead of being "Any", source as VNET wouldn't > trigger at least that customer rule. Something to consider? Thanks! Hello Christopher, Thank you for the suggestion. The intended design for private clusters regarding ssh access to the bootstrap node is to only be able ssh to the bootstrap on the local network where it is deployed, which is what we're targeting on this bugzilla. I got an ipi private cluster up with bootstrap. There is no public ip address for the bootstrap. Is there somewhere else I should check? Thanks. (In reply to To Hung Sze from comment #8) > I got an ipi private cluster up with bootstrap. > There is no public ip address for the bootstrap. > Is there somewhere else I should check? > Thanks. The expected behavior of this bug fix is that when you create a private cluster on Azure, the "bootstrap_ssh_in" NSG rule will not exist. That's what should be verified. Before the bug fix, this rule still existed on private clusters until the bootstrap was destroyed. It only affects the NSG rule (which would help with the security policy issue the user was running into). There was already no possible way to access SSH from the Internet on a IPI Azure private cluster. I confirm, for internal cluster on Az, with 4.7, there is a rule that allows ssh Priority Name Port Protocol Source Destination Action 103 bootstrap_ssh_in 22 Tcp Any Any Allow I can ssh into the bootstrap that has an external IP address via tszeaz051121b-prxnl-bootstrap-pip-v4. with 4.8, there is no such rule / external IP address. Marking as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |