1879406 – CSI driver liveness probe should not be accessible from outside

Bug 1879406 - CSI driver liveness probe should not be accessible from outside

Summary: CSI driver liveness probe should not be accessible from outside

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Storage
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.6.0
Assignee:	Jan Safranek
QA Contact:	Qin Ping
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-16 08:47 UTC by Jan Safranek
Modified:	2020-10-27 16:41 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 16:41:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift aws-ebs-csi-driver-operator pull 94	None	closed	Bug 1879406: Use port 10300-10301 for liveness probes	2020-09-29 08:02:48 UTC
Github	openshift ovirt-csi-driver-operator pull 30	None	closed	Bug 1879406: Use port 10300-10301 for liveness probes	2020-09-29 08:02:48 UTC
Red Hat Product Errata	RHBA-2020:4196	None	None	None	2020-10-27 16:41:40 UTC

Description Jan Safranek 2020-09-16 08:47:14 UTC

OCP AWS EBS and oVirt CSI drivers use "hostNetwork: true" and at the same time they use port 9808 for their liveness probes. Since range 9000 - 9999 is required to be accessible "All machines to all machines" in our docs [1], the liveness probe is accessible from all machines, which is not really wanted. Liveness probe should be accessible from the host only.

1: https://github.com/openshift/openshift-docs/blob/master/modules/installation-network-user-infra.adoc

Comment 1 Jan Safranek 2020-09-24 08:49:53 UTC

Enhancement with port allocation has been merged: https://github.com/openshift/enhancements/pull/479
Trying to catch 4.6

Comment 3 Qin Ping 2020-09-25 06:02:40 UTC

Verified with: 4.6.0-0.nightly-2020-09-24-235241

Comment 6 errata-xmlrpc 2020-10-27 16:41:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Note You need to log in before you can comment on or make changes to this bug.