Bug 2183659
| Summary: | Global permission [*] is seen in openshift-virtualization csv file for both cdi-operator and hostpath-provisioner-operator | |||
|---|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | Debarati Basu-Nag <dbasunag> | |
| Component: | Storage | Assignee: | Alex Kalenyuk <akalenyu> | |
| Status: | CLOSED ERRATA | QA Contact: | Debarati Basu-Nag <dbasunag> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.13.0 | CC: | akalenyu, alitke, dafrank, pelauter, phoracek, yadu | |
| Target Milestone: | --- | |||
| Target Release: | 4.14.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | CNV v4.14.0.rhel9-1854 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2237949 (view as bug list) | Environment: | ||
| Last Closed: | 2023-11-08 14:05:27 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2237949 | |||
|
Comment 2
Debarati Basu-Nag
2023-09-07 22:22:13 UTC
@akalenyu I still see the followings for cdi operator: ====================== - apiGroups: - cdi.kubevirt.io - upload.cdi.kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - cdi.kubevirt.io resources: - '*' verbs: - '*' ====================== This is as of CNV-v4.14.0.rhel9-1911 (In reply to Debarati Basu-Nag from comment #3) > @akalenyu I still see the followings for cdi operator: > ====================== > - apiGroups: > - cdi.kubevirt.io > - upload.cdi.kubevirt.io > resources: > - '*' > verbs: > - '*' > - apiGroups: > - cdi.kubevirt.io > resources: > - '*' > verbs: > - '*' > ====================== > > This is as of CNV-v4.14.0.rhel9-1911 Yeah the * is kept for CDI resources, I think it should be marked as an exception (CDI can do anything on CDI resources) I also did this for upstream tests @akalenyu, my understanding was there would be no global permissions. Can we be explicit about the verbs at least? (In reply to Debarati Basu-Nag from comment #5) > @akalenyu, my understanding was there would be no global > permissions. Can we be explicit about the verbs at least? Hmm, do you think there is risk in CDI having global permission for its own resources? Limiting permissions ensures we get a chance to revisit and add permissions back on a `as needed` basis. This is what we are doing for all the operators. I feel this is also a more secure approach. (In reply to Debarati Basu-Nag from comment #7) > Limiting permissions ensures we get a chance to revisit and add permissions > back on a `as needed` basis. This is what we are doing for all the > operators. I feel this is also a more secure approach. This is true, but, by definition, CDI works on all custom cdi.kubevirt.io resources and is allowed to do anything on them. Keeping a specific list here doesn't make sense IMO This pr cleans up rbac permissions and we would like to have it in 4.14, please approve blocker. *** Bug 2237949 has been marked as a duplicate of this bug. *** Validated against CNV-v4.14.0.rhel9-2121. I still see the following entries for hostpathprovisioner: ================================================ - apiGroups: - '' resources: - persistentvolumes verbs: - '*' - apiGroups: - hostpathprovisioner.kubevirt.io resources: - '*' verbs: - '*' permission: - apiGroups: - coordination.k8s.io resources: - leases verbs: - '*' - apiGroups: - storage.k8s.io resources: - csistoragecapacities verbs: - '*' ======================== Followings are still seen for CDI: ======================== cluster_permission: - apiGroups: - cdi.kubevirt.io - upload.cdi.kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - cdi.kubevirt.io resources: - '*' verbs: - '*' Accidentally marked it as verified before. (In reply to Debarati Basu-Nag from comment #11) > Validated against CNV-v4.14.0.rhel9-2121. > I still see the following entries for hostpathprovisioner: > ================================================ > - apiGroups: > - '' > resources: > - persistentvolumes > verbs: > - '*' > - apiGroups: > - hostpathprovisioner.kubevirt.io > resources: > - '*' > verbs: > - '*' > permission: > - apiGroups: > - coordination.k8s.io > resources: > - leases > verbs: > - '*' > - apiGroups: > - storage.k8s.io > resources: > - csistoragecapacities > verbs: > - '*' > > ======================== We created a clone for HPP: https://bugzilla.redhat.com/show_bug.cgi?id=2183659#c2 > Followings are still seen for CDI: > ======================== > cluster_permission: > - apiGroups: > - cdi.kubevirt.io > - upload.cdi.kubevirt.io > resources: > - '*' > verbs: > - '*' > - apiGroups: > - cdi.kubevirt.io > resources: > - '*' > verbs: > - '*' See my reply https://bugzilla.redhat.com/show_bug.cgi?id=2183659#c8, by definition, CDI controllers can do anything on CDI resources Verified, based on above comment. Will whitelist the followings: ======== cluster_permission: - apiGroups: - cdi.kubevirt.io - upload.cdi.kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - cdi.kubevirt.io resources: - '*' verbs: - '*' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.14.0 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6817 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |