HCO Operator in namespace openshift-cnv is triggered by cr 'hyperconverged-cluster' (kind HCO) creates non-namespaced cr 'cluster' (kind NetworkAddonsConfig). hyperconverged-cluster (namespaced) is the owner of 'cluster' (non-namespaced). This cross-namespace ownership may lead to GC deletions of resources. See Bug 1693905 (CVE-2019-3884) - CVE-2019-3884 atomic-openshift: cross-namespace owner references can trigger deletions of valid children Version-Release number of selected component (if applicable): 2.2.0 How reproducible: Steps to Reproduce: 1. install CNV 2. 3. Actual results: Expected results: Additional info:
To verify: 1. install CNV 2. Make sure all network-related components were installed. 3. Remove HCO CRd. 4. Make sure all network components besides the network addon operator and the network addon CRDs were removed.
Client Version: 4.3.0-0.nightly-2020-01-08-181129 Server Version: 4.3.0-0.nightly-2020-01-08-181129 Kubernetes Version: v1.16.2 CNV 2.2 After removing hco crd, all the network components resources including the network addon crds are all removed.
(In reply to Yan Du from comment #2) > After removing hco crd, all the network components resources including the > network addon crds are all removed. I believe this is behaviour we want to keep. The flaw is that it used to be done via ownerReferences. (`kubectl get NetworkAddonsConfig -o yaml | grep -C 5 ownerReferences`) The ownerReferences weren't legal (cluster scoped object owned by namespaced object). Because of this, the deletion might happen when the garbage collector runs. That is, without any user interaction.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:0307