The restricted endpoints admission controller (which prevents unprivileged users from creating Endpoints pointing into the cluster or service networks) needs to be updated to restrict EndpointSlice admission as well, or else we'll be vulnerable to CVE-2021-25740
*** Bug 1996160 has been marked as a duplicate of this bug. ***
EndpointSlices are more locked-down than Endpoints anyway, so there is no CVE here so this isn't a blocker.
I'm going to slightly rearrange the tangle of bugs to better reflect current reality.
This bug is ONLY about EndpointSlice admission.
The fix merged in 4.9. The associated e2e test hasn't merged yet. Once that merges to 4.10 I'll file a new bug to backport.
Meanwhile, the actual fix can be QE'ed.
https://github.com/openshift/origin/pull/26423/commits/3927b98e5da61c098c24128364fcdb0944093d42#diff-d5ddebcb0e498481b8443be84f9a99e3903384f7dedcd98b22e4d0d5bb79e05dR98-R118 shows what should be tested:
- by default, project-level admins cannot make any changes to EndpointSlices in their project namespaces
- if you create a rolebinding giving them "update" permission on EndpointSlices in their namespace,
then they can change things like the annotations on an EndpointSlice, and they can change one of
the IPs in an EndpointSlice to an external IP, but they still can't change it to a pod or service
I'm trying to verify this bug on 4.9.0-0.nightly-2021-09-21-215600, However now normal user cannot change annotations on an EndpointSlice even I gave update rolebinding, see steps:
1. oc login cluster with normal user testuser-0
2. oc new-project z1
3. oc create test pod and service by 'oc create -f https://raw.githubusercontent.com/openshift/verification-tests/master/testdata/networking/list_for_pods.json'
4. Check pods and endpointslices
$ oc get pod -n z1
NAME READY STATUS RESTARTS AGE
test-rc-nh59s 1/1 Running 0 3h13m
test-rc-xdj8g 1/1 Running 0 3h13m
$ oc get endpointslices.discovery.k8s.io -n z1
NAME ADDRESSTYPE PORTS ENDPOINTS AGE
test-service-2ch9h IPv4 8080 10.129.2.20,10.128.2.17 3h13m
5. Given rolebinding by admin user
$ oc create role -n z1 endpointslice-edit --verb=update --resource=endpointslices.discovery.k8s.io
$ oc create rolebinding -n z1 user-eps-edit --role=endpointslice-edit --user=testuser-0
6. Now check the rolebinding with testuser-0
$ oc get role -n z1 endpointslice-edit -o yaml
$ oc get rolebinding -n z1 user-eps-edit -o yaml
- apiGroup: rbac.authorization.k8s.io
7. Now edit the endpointslices and add annotate
$ oc annotate endpointslices test-service-2ch9h test2=test2 -n z1
Error from server (Forbidden): endpointslices.discovery.k8s.io "test-service-2ch9h" is forbidden: User "testuser-0" cannot patch resource "endpointslices" in API group "discovery.k8s.io" in the namespace "z1"
please help correct me if above steps is not correct, thanks.
> $ oc create role -n z1 endpointslice-edit --verb=update --resource=endpointslices.discovery.k8s.io
> $ oc annotate endpointslices test-service-2ch9h test2=test2 -n z1
> Error from server (Forbidden): endpointslices.discovery.k8s.io "test-service-2ch9h" is forbidden: User "testuser-0" cannot patch resource "endpointslices" in API group "discovery.k8s.io" in the namespace "z1"
Ah, you gave yourself "update" permission but "oc annotate" does a Patch rather than an Update. Try creating the role with "--verb=update,patch". (Or else use "oc edit" rather than "oc annotate".)
Yes, After add patch, it works.
Move this Verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.