Description of problem: SSH to api and console URL is possible and this looks like a security threats. Private key is required though to be able to ssh to route URL's. Looks like SSH is possible as Floating IP is attached to apiVIP and ingressVIP. Version-Release number of selected component (if applicable): Openshift 4.5 How reproducible: Always Steps to Reproduce: 1. Try to SSH to api and console route URL when cluster is hosted on Openstack 2. 3. Actual results: SSH to api URL and console route should not be allowed Expected results: SSH can be done as floating IP is assigned to api VIP and ingress VIP. Additional info: Refer to comment section
I know it SSH access to the API-int and ingress is not really possible on cloud platforms, since usually that's the address of a cloud LB. Could you give me more info on what poses the security risk in being able to SSH to master or worker nodes from another IP address than the node one?
Verified on: (shiftstack) [stack@undercloud-0 ~]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-04-17-044339 True False 3d1h Cluster version is 4.8.0-0.nightly-2021-04-17-044339 RHOSP 16.1 (shiftstack) [stack@undercloud-0 ~]$ ping api.ostest.shiftstack.com PING api.ostest.shiftstack.com (10.0.0.155) 56(84) bytes of data. 64 bytes from api.ostest.shiftstack.com (10.0.0.155): icmp_seq=1 ttl=63 time=1.91 ms (shiftstack) [stack@undercloud-0 ~]$ ssh core.shiftstack.com ssh: connect to host api.ostest.shiftstack.com port 22: Connection timed out
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438