Bug 1879406 - CSI driver liveness probe should not be accessible from outside
Summary: CSI driver liveness probe should not be accessible from outside
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.6.0
Assignee: Jan Safranek
QA Contact: Qin Ping
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-16 08:47 UTC by Jan Safranek
Modified: 2020-10-27 16:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:41:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift aws-ebs-csi-driver-operator pull 94 0 None closed Bug 1879406: Use port 10300-10301 for liveness probes 2020-09-29 08:02:48 UTC
Github openshift ovirt-csi-driver-operator pull 30 0 None closed Bug 1879406: Use port 10300-10301 for liveness probes 2020-09-29 08:02:48 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:41:40 UTC

Description Jan Safranek 2020-09-16 08:47:14 UTC
OCP AWS EBS and oVirt CSI drivers use "hostNetwork: true" and at the same time they use port 9808 for their liveness probes. Since range 9000 - 9999 is required to be accessible "All machines to all machines" in our docs [1], the liveness probe is accessible from all machines, which is not really wanted. Liveness probe should be accessible from the host only.

1: https://github.com/openshift/openshift-docs/blob/master/modules/installation-network-user-infra.adoc

Comment 1 Jan Safranek 2020-09-24 08:49:53 UTC
Enhancement with port allocation has been merged: https://github.com/openshift/enhancements/pull/479
Trying to catch 4.6

Comment 3 Qin Ping 2020-09-25 06:02:40 UTC
Verified with: 4.6.0-0.nightly-2020-09-24-235241

Comment 6 errata-xmlrpc 2020-10-27 16:41:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.