Bug 1640639 - Manila provisioner creates CephFS+NFS share allowing 0.0.0.0/0
Summary: Manila provisioner creates CephFS+NFS share allowing 0.0.0.0/0
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.11.z
Assignee: Tomas Smetana
QA Contact: Chao Yang
URL:
Whiteboard:
Depends On:
Blocks: 1571739
TreeView+ depends on / blocked
 
Reported: 2018-10-18 13:11 UTC by Alberto Gonzalez
Modified: 2019-07-19 15:00 UTC (History)
6 users (show)

Fixed In Version: openshift-external-storage-0.0.2-4.gitd3c94f0.el7
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2019-07-19 15:00:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Alberto Gonzalez 2018-10-18 13:11:30 UTC 
Description of problem:

Using manila-provisioner the NFS allow access is 0.0.0.0/0, causing the possibility to access to the data from outside OCP cluster.

Version-Release number of selected component (if applicable):

OCP 3.11 with latest image
registry.redhat.io/openshift3/manila-provisioner:latest

How reproducible:

Steps to Reproduce:
1. Create a PVC using Manila-provisioner with CephFS+NFS
2. Wait till PV is ready
3. Check manila access-list for the share

Actual results:
(overcloud) [stack@undercloud ~]$  manila access-list pvc-88ce671a-d2bb-11e8-83ca-fa163eaa3d72 
+--------------------------------------+-------------+-----------+--------------+--------+------------+----------------------------+------------+
| id                                   | access_type | access_to | access_level | state  | access_key | created_at                 | updated_at |
+--------------------------------------+-------------+-----------+--------------+--------+------------+----------------------------+------------+
| fb81e653-f058-4e08-ad81-d538c7d91753 | ip          | 0.0.0.0/0 | rw           | active | None       | 2018-10-18T09:52:39.000000 | None       |
+--------------------------------------+-------------+-----------+--------------+--------+------------+----------------------------+------------+


Expected results:
Only the nodes from OCP will be allowed to access. Or at least to be able to specify when the PVC is defined

Master Log:

Node Log (of failed PODs):

PV Dump:

PVC Dump:

StorageClass Dump (if StorageClass used by PV/PVC):

Additional info:
Comment 1 Alberto Gonzalez 2018-10-24 12:25:45 UTC 
Here is the code where 0.0.0.0/0 (BTW is not working, only 0.0.0.0 does!):
https://github.com/kubernetes/cloud-provider-openstack/blob/master/pkg/share/manila/sharebackends/nfs.go#L52
Comment 2 Tomas Smetana 2018-10-26 10:41:48 UTC 
The code referenced in comment #1 is not the Manila provisioner we have in 3.11 -- there is still the old version from external-storage repo. The old one has the same bug though (on a different place). I will have to fix this just by adding patch to the dist-git with external-storage rpm.
Comment 3 Tomas Smetana 2018-11-20 13:53:13 UTC 
Upstream PR: https://github.com/kubernetes/cloud-provider-openstack/pull/370
Comment 8 Chao Yang 2018-12-06 03:24:39 UTC 
This bug https://bugzilla.redhat.com/show_bug.cgi?id=1616343 used to track above issue.
Note You need to log in before you can comment on or make changes to this bug.