Bug 2037483 - Rbacs for Pods within the CBO should be more restrictive
Summary: Rbacs for Pods within the CBO should be more restrictive
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Bare Metal Hardware Provisioning
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: sdasu
QA Contact: Jad Haj Yahya
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-05 17:21 UTC by sdasu
Modified: 2022-03-30 17:09 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:37:12 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-baremetal-operator pull 227 0 None open Bug 2037483: Allow CBO to list Pods in the openshift-machine-api namespace 2022-01-05 17:29:29 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:37:22 UTC

Description sdasu 2022-01-05 17:21:15 UTC
Description of problem:
A recent fix to the CBO gave CBO the permission to list and get pods in every namespace. CBO only needs to do that for Pods within the openshift-machine-api namespace.
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
CBO can list, get and watch Pods only in the openshift-machine-api namespace.

Additional info:

Comment 3 Jad Haj Yahya 2022-01-16 11:18:28 UTC
@sdasu Hey,

How can I reproduce/verify this BZ

Comment 4 Jad Haj Yahya 2022-01-16 14:48:08 UTC
@sdasu

I used the following process to verify that cluster-baremetal-operator serviceaccount cannot see pods form namespaces other than openshift-machine-api:


oc describe sa cluster-baremetal-operator -n openshift-machine-api
oc describe secrets cluster-baremetal-operator-token-dxwtx -n openshift-machine-api
oc login --token=eyJhbGciOiJSU.....

oc get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:openshift-machine-api:cluster-baremetal-operator" cannot list resource "pods" in API group "" in the namespace "default"

oc get pods -n openshift-machine-api
NAME                                           READY   STATUS    RESTARTS        AGE
cluster-autoscaler-operator-6fb8fc5cbb-sbd4d   2/2     Running   1 (3d20h ago)   3d20h
cluster-baremetal-operator-5d58dbc94c-jfflr    2/2     Running   2 (3d20h ago)   3d20h
machine-api-controllers-54b8ff44c8-jwtqx       7/7     Running   0               3d20h
machine-api-operator-57648b678d-frrfq          2/2     Running   1 (3d20h ago)   3d20h
metal3-6db6ff88df-2klvh                        7/7     Running   0               3d20h
metal3-image-cache-4kvp6                       1/1     Running   0               3d20h
metal3-image-cache-fspq9                       1/1     Running   0               3d20h
metal3-image-cache-gj9mr                       1/1     Running   0               3d20h
metal3-image-customization-6745d749b8-vdgsm


please confirm

Comment 5 Jad Haj Yahya 2022-01-17 06:10:07 UTC
Verified with 4.10.0-0.nightly-2022-01-11-065245 release using above steps

Comment 8 errata-xmlrpc 2022-03-10 16:37:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056

Comment 9 sdasu 2022-03-30 17:09:43 UTC
(In reply to Jad Haj Yahya from comment #4)
> @sdasu
> 
> I used the following process to verify that cluster-baremetal-operator
> serviceaccount cannot see pods form namespaces other than
> openshift-machine-api:
> 
> 
> oc describe sa cluster-baremetal-operator -n openshift-machine-api
> oc describe secrets cluster-baremetal-operator-token-dxwtx -n
> openshift-machine-api
> oc login --token=eyJhbGciOiJSU.....
> 
> oc get pods
> Error from server (Forbidden): pods is forbidden: User
> "system:serviceaccount:openshift-machine-api:cluster-baremetal-operator"
> cannot list resource "pods" in API group "" in the namespace "default"
> 
> oc get pods -n openshift-machine-api
> NAME                                           READY   STATUS    RESTARTS   
> AGE
> cluster-autoscaler-operator-6fb8fc5cbb-sbd4d   2/2     Running   1 (3d20h
> ago)   3d20h
> cluster-baremetal-operator-5d58dbc94c-jfflr    2/2     Running   2 (3d20h
> ago)   3d20h
> machine-api-controllers-54b8ff44c8-jwtqx       7/7     Running   0          
> 3d20h
> machine-api-operator-57648b678d-frrfq          2/2     Running   1 (3d20h
> ago)   3d20h
> metal3-6db6ff88df-2klvh                        7/7     Running   0          
> 3d20h
> metal3-image-cache-4kvp6                       1/1     Running   0          
> 3d20h
> metal3-image-cache-fspq9                       1/1     Running   0          
> 3d20h
> metal3-image-cache-gj9mr                       1/1     Running   0          
> 3d20h
> metal3-image-customization-6745d749b8-vdgsm
> 
> 
> please confirm

Yes, that is correct.


Note You need to log in before you can comment on or make changes to this bug.