Bug 1996689 - RestrictedEndpointsAdmission controller needs to restrict EndpointSlices as well
Summary: RestrictedEndpointsAdmission controller needs to restrict EndpointSlices as well
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.9
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.9.0
Assignee: Dan Winship
QA Contact: zhaozhanqi
URL:
Whiteboard:
: 1996160 (view as bug list)
Depends On: 1996160
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-23 13:29 UTC by Dan Winship
Modified: 2021-10-18 17:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:47:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kubernetes pull 899 0 None None None 2021-08-26 17:00:31 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:48:09 UTC

Description Dan Winship 2021-08-23 13:29:48 UTC
The restricted endpoints admission controller (which prevents unprivileged users from creating Endpoints pointing into the cluster or service networks) needs to be updated to restrict EndpointSlice admission as well, or else we'll be vulnerable to CVE-2021-25740

Comment 1 Miciah Dashiel Butler Masters 2021-08-30 16:49:43 UTC
*** Bug 1996160 has been marked as a duplicate of this bug. ***

Comment 2 Dan Winship 2021-08-31 14:55:16 UTC
EndpointSlices are more locked-down than Endpoints anyway, so there is no CVE here so this isn't a blocker.

I'm going to slightly rearrange the tangle of bugs to better reflect current reality.
This bug is ONLY about EndpointSlice admission.

Comment 3 Dan Winship 2021-09-20 20:54:41 UTC
The fix merged in 4.9. The associated e2e test hasn't merged yet. Once that merges to 4.10 I'll file a new bug to backport.

Meanwhile, the actual fix can be QE'ed.

https://github.com/openshift/origin/pull/26423/commits/3927b98e5da61c098c24128364fcdb0944093d42#diff-d5ddebcb0e498481b8443be84f9a99e3903384f7dedcd98b22e4d0d5bb79e05dR98-R118 shows what should be tested:

  - by default, project-level admins cannot make any changes to EndpointSlices in their project namespaces

  - if you create a rolebinding giving them "update" permission on EndpointSlices in their namespace,
    then they can change things like the annotations on an EndpointSlice, and they can change one of
    the IPs in an EndpointSlice to an external IP, but they still can't change it to a pod or service
    IP.

Comment 5 zhaozhanqi 2021-09-23 05:53:05 UTC
hi, @danw@redhat.com 

I'm trying to verify this bug on 4.9.0-0.nightly-2021-09-21-215600,  However now normal user cannot change annotations on an EndpointSlice even I gave update rolebinding, see steps:

1.  oc login cluster with normal user testuser-0
2. oc new-project z1 
3. oc create test pod and service by 'oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/list_for_pods.json'

4. Check pods and endpointslices

$ oc get pod -n z1 
NAME            READY   STATUS    RESTARTS   AGE
test-rc-nh59s   1/1     Running   0          3h13m
test-rc-xdj8g   1/1     Running   0          3h13m
$ oc get endpointslices.discovery.k8s.io -n z1
NAME                 ADDRESSTYPE   PORTS   ENDPOINTS                 AGE
test-service-2ch9h   IPv4          8080    10.129.2.20,10.128.2.17   3h13m

5. Given rolebinding by admin user

$ oc create role -n z1 endpointslice-edit --verb=update --resource=endpointslices.discovery.k8s.io

$ oc create rolebinding -n z1 user-eps-edit --role=endpointslice-edit --user=testuser-0

6. Now check the rolebinding  with testuser-0

$ oc get role -n z1 endpointslice-edit -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2021-09-23T05:28:56Z"
  name: endpointslice-edit
  namespace: z1
  resourceVersion: "464091"
  uid: a122d44a-0164-405a-91e3-c86d587f08c2
rules:
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - update


$ oc get rolebinding -n z1 user-eps-edit -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-09-23T05:31:20Z"
  name: user-eps-edit
  namespace: z1
  resourceVersion: "464800"
  uid: 95fda5eb-3f2e-4201-a3e6-38e1030b7c2f
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: endpointslice-edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: testuser-0


7.  Now edit the endpointslices and add annotate

$ oc annotate endpointslices test-service-2ch9h test2=test2 -n z1
Error from server (Forbidden): endpointslices.discovery.k8s.io "test-service-2ch9h" is forbidden: User "testuser-0" cannot patch resource "endpointslices" in API group "discovery.k8s.io" in the namespace "z1"


please help correct me if above steps is not correct, thanks.

Comment 7 Dan Winship 2021-09-23 18:47:19 UTC
> $ oc create role -n z1 endpointslice-edit --verb=update --resource=endpointslices.discovery.k8s.io

> $ oc annotate endpointslices test-service-2ch9h test2=test2 -n z1
> Error from server (Forbidden): endpointslices.discovery.k8s.io "test-service-2ch9h" is forbidden: User "testuser-0" cannot patch resource "endpointslices" in API group "discovery.k8s.io" in the namespace "z1"

Ah, you gave yourself "update" permission but "oc annotate" does a Patch rather than an Update. Try creating the role with "--verb=update,patch". (Or else use "oc edit" rather than "oc annotate".)

Comment 8 zhaozhanqi 2021-09-27 07:34:10 UTC
Yes, After add patch, it works. 

Move this Verified.

Comment 10 errata-xmlrpc 2021-10-18 17:47:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.