Description of problem:
SSH to api and console URL is possible and this looks like a security threats. Private key is required though to be able to ssh to route URL's. Looks like SSH is possible as Floating IP is attached to apiVIP and ingressVIP.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Try to SSH to api and console route URL when cluster is hosted on Openstack
SSH to api URL and console route should not be allowed
SSH can be done as floating IP is assigned to api VIP and ingress VIP.
Refer to comment section
I know it SSH access to the API-int and ingress is not really possible on cloud platforms, since usually that's the address of a cloud LB. Could you give me more info on what poses the security risk in being able to SSH to master or worker nodes from another IP address than the node one?
(shiftstack) [stack@undercloud-0 ~]$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.8.0-0.nightly-2021-04-17-044339 True False 3d1h Cluster version is 4.8.0-0.nightly-2021-04-17-044339
(shiftstack) [stack@undercloud-0 ~]$ ping api.ostest.shiftstack.com
PING api.ostest.shiftstack.com (10.0.0.155) 56(84) bytes of data.
64 bytes from api.ostest.shiftstack.com (10.0.0.155): icmp_seq=1 ttl=63 time=1.91 ms
(shiftstack) [stack@undercloud-0 ~]$ ssh email@example.com
ssh: connect to host api.ostest.shiftstack.com port 22: Connection timed out
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.