Bug 1996689 - RestrictedEndpointsAdmission controller needs to restrict EndpointSlices as well
Summary: RestrictedEndpointsAdmission controller needs to restrict EndpointSlices as well
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.9
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.9.0
Assignee: Dan Winship
QA Contact: zhaozhanqi
: 1996160 (view as bug list)
Depends On: 1996160
TreeView+ depends on / blocked
Reported: 2021-08-23 13:29 UTC by Dan Winship
Modified: 2021-10-18 17:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-18 17:47:55 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift kubernetes pull 899 0 None None None 2021-08-26 17:00:31 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:48:09 UTC

Description Dan Winship 2021-08-23 13:29:48 UTC
The restricted endpoints admission controller (which prevents unprivileged users from creating Endpoints pointing into the cluster or service networks) needs to be updated to restrict EndpointSlice admission as well, or else we'll be vulnerable to CVE-2021-25740

Comment 1 Miciah Dashiel Butler Masters 2021-08-30 16:49:43 UTC
*** Bug 1996160 has been marked as a duplicate of this bug. ***

Comment 2 Dan Winship 2021-08-31 14:55:16 UTC
EndpointSlices are more locked-down than Endpoints anyway, so there is no CVE here so this isn't a blocker.

I'm going to slightly rearrange the tangle of bugs to better reflect current reality.
This bug is ONLY about EndpointSlice admission.

Comment 3 Dan Winship 2021-09-20 20:54:41 UTC
The fix merged in 4.9. The associated e2e test hasn't merged yet. Once that merges to 4.10 I'll file a new bug to backport.

Meanwhile, the actual fix can be QE'ed.

https://github.com/openshift/origin/pull/26423/commits/3927b98e5da61c098c24128364fcdb0944093d42#diff-d5ddebcb0e498481b8443be84f9a99e3903384f7dedcd98b22e4d0d5bb79e05dR98-R118 shows what should be tested:

  - by default, project-level admins cannot make any changes to EndpointSlices in their project namespaces

  - if you create a rolebinding giving them "update" permission on EndpointSlices in their namespace,
    then they can change things like the annotations on an EndpointSlice, and they can change one of
    the IPs in an EndpointSlice to an external IP, but they still can't change it to a pod or service

Comment 5 zhaozhanqi 2021-09-23 05:53:05 UTC
hi, @danw 

I'm trying to verify this bug on 4.9.0-0.nightly-2021-09-21-215600,  However now normal user cannot change annotations on an EndpointSlice even I gave update rolebinding, see steps:

1.  oc login cluster with normal user testuser-0
2. oc new-project z1 
3. oc create test pod and service by 'oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/list_for_pods.json'

4. Check pods and endpointslices

$ oc get pod -n z1 
test-rc-nh59s   1/1     Running   0          3h13m
test-rc-xdj8g   1/1     Running   0          3h13m
$ oc get endpointslices.discovery.k8s.io -n z1
NAME                 ADDRESSTYPE   PORTS   ENDPOINTS                 AGE
test-service-2ch9h   IPv4          8080,   3h13m

5. Given rolebinding by admin user

$ oc create role -n z1 endpointslice-edit --verb=update --resource=endpointslices.discovery.k8s.io

$ oc create rolebinding -n z1 user-eps-edit --role=endpointslice-edit --user=testuser-0

6. Now check the rolebinding  with testuser-0

$ oc get role -n z1 endpointslice-edit -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
  creationTimestamp: "2021-09-23T05:28:56Z"
  name: endpointslice-edit
  namespace: z1
  resourceVersion: "464091"
  uid: a122d44a-0164-405a-91e3-c86d587f08c2
- apiGroups:
  - discovery.k8s.io
  - endpointslices
  - update

$ oc get rolebinding -n z1 user-eps-edit -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
  creationTimestamp: "2021-09-23T05:31:20Z"
  name: user-eps-edit
  namespace: z1
  resourceVersion: "464800"
  uid: 95fda5eb-3f2e-4201-a3e6-38e1030b7c2f
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: endpointslice-edit
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: testuser-0

7.  Now edit the endpointslices and add annotate

$ oc annotate endpointslices test-service-2ch9h test2=test2 -n z1
Error from server (Forbidden): endpointslices.discovery.k8s.io "test-service-2ch9h" is forbidden: User "testuser-0" cannot patch resource "endpointslices" in API group "discovery.k8s.io" in the namespace "z1"

please help correct me if above steps is not correct, thanks.

Comment 7 Dan Winship 2021-09-23 18:47:19 UTC
> $ oc create role -n z1 endpointslice-edit --verb=update --resource=endpointslices.discovery.k8s.io

> $ oc annotate endpointslices test-service-2ch9h test2=test2 -n z1
> Error from server (Forbidden): endpointslices.discovery.k8s.io "test-service-2ch9h" is forbidden: User "testuser-0" cannot patch resource "endpointslices" in API group "discovery.k8s.io" in the namespace "z1"

Ah, you gave yourself "update" permission but "oc annotate" does a Patch rather than an Update. Try creating the role with "--verb=update,patch". (Or else use "oc edit" rather than "oc annotate".)

Comment 8 zhaozhanqi 2021-09-27 07:34:10 UTC
Yes, After add patch, it works. 

Move this Verified.

Comment 10 errata-xmlrpc 2021-10-18 17:47:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.