Bug 1873079 - SSH to api and console route is possible when the clsuter is hosted on Openstack
Summary: SSH to api and console route is possible when the clsuter is hosted on Openstack
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.8
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: 4.8.0
Assignee: Emilien Macchi
QA Contact: Udi Shkalim
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-27 10:26 UTC by Arnab Ghosh
Modified: 2021-07-27 22:33 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 22:32:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 4659 0 None open Bug 1873079: Bug 1873079: openstack: restrict SSH to machineNetwork CIDR 2021-02-16 00:15:34 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:33:31 UTC

Internal Links: 1951535

Description Arnab Ghosh 2020-08-27 10:26:55 UTC
Description of problem:
SSH to api and console URL is possible and this looks like a security threats. Private key is required though to be able to ssh to route URL's. Looks like SSH is possible as Floating IP is attached to apiVIP and ingressVIP.


Version-Release number of selected component (if applicable):
Openshift 4.5

How reproducible:
Always

Steps to Reproduce:
1. Try to SSH to api and console route URL when cluster is hosted on Openstack 
2.
3.

Actual results:
SSH to api URL and console route should not be allowed

Expected results:
SSH can be done as floating IP is assigned to api VIP and ingress VIP.

Additional info:
Refer to comment section

Comment 2 Antoni Segura Puimedon 2020-08-27 11:20:24 UTC
I know it SSH access to the API-int and ingress is not really possible on cloud platforms, since usually that's the address of a cloud LB. Could you give me more info on what poses the security risk in being able to SSH to master or worker nodes from another IP address than the node one?

Comment 15 Udi Shkalim 2021-04-20 12:22:16 UTC
Verified on:

(shiftstack) [stack@undercloud-0 ~]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-04-17-044339   True        False         3d1h    Cluster version is 4.8.0-0.nightly-2021-04-17-044339

RHOSP 16.1

(shiftstack) [stack@undercloud-0 ~]$ ping api.ostest.shiftstack.com
PING api.ostest.shiftstack.com (10.0.0.155) 56(84) bytes of data.
64 bytes from api.ostest.shiftstack.com (10.0.0.155): icmp_seq=1 ttl=63 time=1.91 ms

(shiftstack) [stack@undercloud-0 ~]$ ssh core@api.ostest.shiftstack.com
ssh: connect to host api.ostest.shiftstack.com port 22: Connection timed out

Comment 18 errata-xmlrpc 2021-07-27 22:32:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.