2183659 – Global permission [*] is seen in openshift-virtualization csv file for both cdi-operator and hostpath-provisioner-operator

Bug 2183659 - Global permission [*] is seen in openshift-virtualization csv file for both cdi-operator and hostpath-provisioner-operator

Summary: Global permission [*] is seen in openshift-virtualization csv file for both c...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Storage
Sub Component:
Version:	4.13.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.14.0
Assignee:	Alex Kalenyuk
QA Contact:	Debarati Basu-Nag
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2237949
TreeView+	depends on / blocked

Reported:	2023-03-31 23:08 UTC by Debarati Basu-Nag
Modified:	2024-03-08 04:25 UTC (History)
CC List:	6 users (show)
Fixed In Version:	CNV v4.14.0.rhel9-1854
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2237949 (view as bug list)
Environment:
Last Closed:	2023-11-08 14:05:27 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	kubevirt containerized-data-importer pull 2866	None	Merged	Audit RBAC, avoid global (*) permissions	2023-09-27 12:20:36 UTC
Github	kubevirt containerized-data-importer pull 2886	None	Merged	[release-v1.57] Audit RBAC, avoid global (*) permissions	2023-09-13 12:33:45 UTC
Red Hat Issue Tracker	CNV-27685	None	None	None	2023-03-31 23:09:30 UTC
Red Hat Product Errata	RHSA-2023:6817	None	None	None	2023-11-08 14:05:52 UTC

Comment 2 Debarati Basu-Nag 2023-09-07 22:22:13 UTC

Created a clone for HPP: https://bugzilla.redhat.com/show_bug.cgi?id=2237949

Comment 3 Debarati Basu-Nag 2023-09-12 00:04:22 UTC

@akalenyu I still see the followings for cdi operator:
======================
- apiGroups:
  - cdi.kubevirt.io
  - upload.cdi.kubevirt.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - cdi.kubevirt.io
  resources:
  - '*'
  verbs:
  - '*'
======================

This is as of CNV-v4.14.0.rhel9-1911

Comment 4 Alex Kalenyuk 2023-09-12 09:09:39 UTC

(In reply to Debarati Basu-Nag from comment #3)
> @akalenyu I still see the followings for cdi operator:
> ======================
> - apiGroups:
>   - cdi.kubevirt.io
>   - upload.cdi.kubevirt.io
>   resources:
>   - '*'
>   verbs:
>   - '*'
> - apiGroups:
>   - cdi.kubevirt.io
>   resources:
>   - '*'
>   verbs:
>   - '*'
> ======================
> 
> This is as of CNV-v4.14.0.rhel9-1911

Yeah the * is kept for CDI resources, I think it should be marked as an exception
(CDI can do anything on CDI resources)
I also did this for upstream tests

Comment 5 Debarati Basu-Nag 2023-09-12 12:57:48 UTC

@akalenyu, my understanding was there would be no global permissions. Can we be explicit about the verbs at least?

Comment 6 Alex Kalenyuk 2023-09-12 13:30:16 UTC

(In reply to Debarati Basu-Nag from comment #5)
> @akalenyu, my understanding was there would be no global
> permissions. Can we be explicit about the verbs at least?

Hmm, do you think there is risk in CDI having global permission for its own resources?

Comment 7 Debarati Basu-Nag 2023-09-12 21:45:15 UTC

Limiting permissions ensures we get a chance to revisit and add permissions back on a `as needed` basis. This is what we are doing for all the operators. I feel this is also a more secure approach.

Comment 8 Alex Kalenyuk 2023-09-13 08:05:09 UTC

(In reply to Debarati Basu-Nag from comment #7)
> Limiting permissions ensures we get a chance to revisit and add permissions
> back on a `as needed` basis. This is what we are doing for all the
> operators. I feel this is also a more secure approach.

This is true, but, by definition, CDI works on all custom cdi.kubevirt.io resources and is allowed to do anything
on them. Keeping a specific list here doesn't make sense IMO

Comment 9 dalia 2023-09-13 12:37:33 UTC

This pr cleans up rbac permissions and we would like to have it in 4.14, please approve blocker.

Comment 10 Adam Litke 2023-09-27 18:26:32 UTC

*** Bug 2237949 has been marked as a duplicate of this bug. ***

Comment 11 Debarati Basu-Nag 2023-09-30 12:34:31 UTC

Validated against CNV-v4.14.0.rhel9-2121.
I still see the following entries for hostpathprovisioner:
================================================
- apiGroups:
  - ''
  resources:
  - persistentvolumes
  verbs:
  - '*'
- apiGroups:
  - hostpathprovisioner.kubevirt.io
  resources:
  - '*'
  verbs:
  - '*'
permission:
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - '*'
- apiGroups:
  - storage.k8s.io
  resources:
  - csistoragecapacities
  verbs:
  - '*'

========================
Followings are still seen for CDI:
========================
cluster_permission:
- apiGroups:
  - cdi.kubevirt.io
  - upload.cdi.kubevirt.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - cdi.kubevirt.io
  resources:
  - '*'
  verbs:
  - '*'

Comment 12 Debarati Basu-Nag 2023-09-30 12:35:21 UTC

Accidentally marked it as verified before.

Comment 13 Alex Kalenyuk 2023-10-01 07:44:00 UTC

(In reply to Debarati Basu-Nag from comment #11)
> Validated against CNV-v4.14.0.rhel9-2121.
> I still see the following entries for hostpathprovisioner:
> ================================================
> - apiGroups:
>   - ''
>   resources:
>   - persistentvolumes
>   verbs:
>   - '*'
> - apiGroups:
>   - hostpathprovisioner.kubevirt.io
>   resources:
>   - '*'
>   verbs:
>   - '*'
> permission:
> - apiGroups:
>   - coordination.k8s.io
>   resources:
>   - leases
>   verbs:
>   - '*'
> - apiGroups:
>   - storage.k8s.io
>   resources:
>   - csistoragecapacities
>   verbs:
>   - '*'
> 
> ========================
We created a clone for HPP:
https://bugzilla.redhat.com/show_bug.cgi?id=2183659#c2

> Followings are still seen for CDI:
> ========================
> cluster_permission:
> - apiGroups:
>   - cdi.kubevirt.io
>   - upload.cdi.kubevirt.io
>   resources:
>   - '*'
>   verbs:
>   - '*'
> - apiGroups:
>   - cdi.kubevirt.io
>   resources:
>   - '*'
>   verbs:
>   - '*'


See my reply https://bugzilla.redhat.com/show_bug.cgi?id=2183659#c8,
by definition, CDI controllers can do anything on CDI resources

Comment 17 Debarati Basu-Nag 2023-10-06 15:00:03 UTC

Verified, based on above comment. Will whitelist the followings:
========
cluster_permission:
- apiGroups:
  - cdi.kubevirt.io
  - upload.cdi.kubevirt.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - cdi.kubevirt.io
  resources:
  - '*'
  verbs:
  - '*'

Comment 20 errata-xmlrpc 2023-11-08 14:05:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.14.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6817

Comment 21 Red Hat Bugzilla 2024-03-08 04:25:38 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.