Description of problem: hostnetwork pod can access MCS port 22623 or 22624 on master on Kuryr cluster. We should restrict that on Kuryr as well like it's done in OpenShiftSDN Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Create a hostnetwork pod with kubeadmin as user $ oc login -u kubeadmin -p xxxxx $oc create -f https://raw.githubusercontent.com/anuragthehatter/v3-testfiles/master/networking/hostnetwork-pod.json 2.oc rsh into pod and curl on master IP on port 22623 and 22624 $ oc rsh hello-pod ~$curl -I http://10.0.129.26:22623/config/master -k HTTP/2 200 ~$curl -I http://10.0.129.26:22623/config/master -k HTTP/2 200 Actual results: Hostnetwork pod can access MCS ports Expected results: Hostnetwork pod should not access MCS ports
Verified in 4.6.0-0.nightly-2020-07-14-035247 on top of OSP 13 2020-07-09.1 puddle. The MCS ports are not accessible from the hostnetwork pod in a cluster with Kuryr. $ oc rsh hostnetwork-pod / # curl -I http://10.196.1.176:22623/config/master -k curl: (7) Failed to connect to 10.196.1.176 port 22623: Connection refused / # curl -I http://10.196.1.176:22624/config/master -k curl: (7) Failed to connect to 10.196.1.176 port 22624: Connection refused
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196