2142902 – Disable Liveness container in csi pods

Bug 2142902 - Disable Liveness container in csi pods

Summary: Disable Liveness container in csi pods

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	rook
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	ODF 4.10.10
Assignee:	Madhu Rajanna
QA Contact:	Daniel Osypenko
Docs Contact:
URL:
Whiteboard:
Depends On:	2142901
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-15 12:44 UTC by Madhu Rajanna
Modified:	2023-08-09 17:03 UTC (History)
CC List:	9 users (show)
Fixed In Version:	4.10.10-1
Doc Type:	Bug Fix
Doc Text:	Previously, services running without the TLS was problematic if security was the main concern for the customers. This was because a Liveness sidecar container deployed with the CSI pods to check if CSI dirver is responding appropriately or not, was running without TLS. With this fix, Liveness container in all Ceph CSI pods are disabled and as a result, no service is running in Ceph CSI pods without TLS, and one less container in Ceph CSI pods.
Clone Of:	2142901
Environment:
Last Closed:	2023-02-20 15:40:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	red-hat-storage rook pull 429	0	None	open	BUG 2142902: csi: disable liveness sidecar by default	2022-11-15 12:48:40 UTC
Red Hat Product Errata	RHBA-2023:0827	0	None	None	None	2023-02-20 15:40:49 UTC

Description Madhu Rajanna 2022-11-15 12:44:45 UTC

+++ This bug was initially created as a clone of Bug #2142901 +++

Description of problem (please be detailed as possible and provide log
snippets):


liveness container in the cephfs provisioner and daemonset pods exposes HTTP ports to serve the metrics endpoints. We have two problems with it

1. The Metrics exposed on the HTTP port without TLS. This will be problematic for the customers as its a security problem
2. No one is consuming these metrics, and it was there only for the debugging purpose, and it was not helpful for the admins/users.

Version of all relevant components (if applicable):


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?

No

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


Can this issue reproducible?

Yes

Can this issue reproduce from the UI?

Deploy ODF

If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1. Deploy ODF
2. Check liveness container running on csi pods
3. On the node where daemonset pods are running the host port 9080 and 9081 are opened and used.


Expected results:

The liveness sidecar container should be disabled in all csi pods and cephcsi should not use 9080 and 9081 ports on the host.

Additional info:

Comment 6 Madhu Rajanna 2022-12-15 07:58:32 UTC

https://github.com/red-hat-storage/rook/pull/429 is already backported to 4.10

Comment 12 Daniel Osypenko 2023-01-10 09:23:15 UTC

verified that container 'liveness-prometheus' is not running on any csi pod

OC version:
Client Version: 4.12.0-202208031327
Kustomize Version: v4.5.4
Server Version: 4.11.0-0.nightly-2023-01-07-041900
Kubernetes Version: v1.24.6+5658434

OCS verison:
ocs-operator.v4.11.4              OpenShift Container Storage   4.11.4    ocs-operator.v4.11.3              Succeeded

Cluster version
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2023-01-07-041900   True        False         9h      Cluster version is 4.11.0-0.nightly-2023-01-07-041900

Rook version:
rook: v4.11.4-0.96e324244ec878d70194179a2892ec7193f6b591
go: go1.17.12

Ceph version:
ceph version 16.2.8-84.el8cp (c2980f2fd700e979d41b4bad2939bb90f0fe435c) pacific (stable)

Comment 20 errata-xmlrpc 2023-02-20 15:40:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenShift Data Foundation 4.10.10 Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0827

Note You need to log in before you can comment on or make changes to this bug.