Bug 1856289 - [kuryr] hostnetwork pod can access MCS port 22623 or 22624 on master
Summary: [kuryr] hostnetwork pod can access MCS port 22623 or 22624 on master
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.6.0
Assignee: Michał Dulko
QA Contact: GenadiC
URL:
Whiteboard:
Depends On:
Blocks: 1856374
TreeView+ depends on / blocked
 
Reported: 2020-07-13 10:09 UTC by Michał Dulko
Modified: 2020-10-27 16:14 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:13:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 698 0 None closed Bug 1856289: Block MCS and metadata for host-networking pods 2021-02-11 10:50:14 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:14:27 UTC

Description Michał Dulko 2020-07-13 10:09:57 UTC
Description of problem:
hostnetwork pod can access MCS port 22623 or 22624 on master on Kuryr cluster. We should restrict that on Kuryr as well like it's done in OpenShiftSDN

Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1.Create a hostnetwork pod with kubeadmin as user
$ oc login -u kubeadmin -p xxxxx
$oc create -f https://raw.githubusercontent.com/anuragthehatter/v3-testfiles/master/networking/hostnetwork-pod.json

2.oc rsh into pod and curl on master IP on port 22623 and 22624

$ oc rsh hello-pod
 ~$curl -I http://10.0.129.26:22623/config/master -k
     HTTP/2 200 
 ~$curl -I http://10.0.129.26:22623/config/master -k
     HTTP/2 200 


Actual results: Hostnetwork pod can access MCS ports


Expected results: Hostnetwork pod should not access MCS ports

Comment 3 Jon Uriarte 2020-07-14 15:00:16 UTC
Verified in 4.6.0-0.nightly-2020-07-14-035247 on top of OSP 13 2020-07-09.1 puddle.

The MCS ports are not accessible from the hostnetwork pod in a cluster with Kuryr.

$ oc rsh hostnetwork-pod
/ # curl -I http://10.196.1.176:22623/config/master -k
curl: (7) Failed to connect to 10.196.1.176 port 22623: Connection refused
/ # curl -I http://10.196.1.176:22624/config/master -k
curl: (7) Failed to connect to 10.196.1.176 port 22624: Connection refused

Comment 5 errata-xmlrpc 2020-10-27 16:13:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.