Disable externalIP by default #7810
Conversation
|
[test] |
smarterclayton
force-pushed
the
secure_external_ip
branch
from
17d2acd
to
c7e2803
Compare
|
This should go upstream for 1.3 |
|
We built a way to configure admission plugins, why wouldn't we choose to use it for this? |
| @@ -325,6 +325,9 @@ type MasterNetworkConfig struct { | |||
| ClusterNetworkCIDR string | |||
| HostSubnetLength uint | |||
| ServiceNetworkCIDR string | |||
| // ExternalIPNetworkCIDR controls what values are acceptable for the service external IP field. If empty, no externalIP | |||
There was a problem hiding this comment.
That's a strange way to deal with empty string and it makes it impossible to default to existing behavior, doesn't it?
If you moved this to the admission config section, then no config means "allow all" (existing behavior) and config with empty string can mean "restrict all". That seems to be more intuitive.
There was a problem hiding this comment.
ExternalIP is a fundamental behavior of the system - by default today it is
insecure. Config per admission control is modeled correctly for admission
controllers that are not a core part of the platform, but is not the right
model for usability or discoverability when it's a core platform feature.
The place admins will look for this control is in the MasterNetworkConfig
because it is comparable to ServiceCIDR and ClusterCIDR, defining the
acceptable range. We will eventually move this into a flag on apiserver
and do the same validation, when we do, the config should come from our
core object, not an admission controller.
ExternalIP is a security risk, and we cannot ship with it enabled by
default, therefore we must disable by default, and existing users will be
broken. We cannot allow through inaction for users to have a vulnerability
here. Release notes will be updated
openshift/openshift-docs#1700
On Mon, Mar 7, 2016 at 6:53 AM, David Eads notifications@github.com wrote:
In pkg/cmd/server/api/types.go
#7810 (comment):@@ -325,6 +325,9 @@ type MasterNetworkConfig struct {
ClusterNetworkCIDR string
HostSubnetLength uint
ServiceNetworkCIDR string
- // ExternalIPNetworkCIDR controls what values are acceptable for the service external IP field. If empty, no externalIP
That's a strange way to deal with empty string and it makes it impossible
to default to existing behavior, doesn't it?If you moved this to the admission config section, then no config means
"allow all" (existing behavior) and config with empty string can mean
"restrict all". That seems to be more intuitive.—
Reply to this email directly or view it on GitHub
https://github.com/openshift/origin/pull/7810/files#r55198749.
There was a problem hiding this comment.
ExternalIP is a security risk, and we cannot ship with it enabled by
default, therefore we must disable by default, and existing users will be
broken. We cannot allow through inaction for users to have a vulnerability
here. Release notes will be updated
openshift/openshift-docs#1700
@liggitt @sdodson We'll probably get questions about this.
@sosiouxme Can you add a diagnostic check that looks at this setting, the openshift level, and the current services to find ones that violate this? We can't do it client-side because we don't know the CIDR client-side.
@smarterclayton Be careful with this implementation. As written, I think you'll make any controller that updates status end up having to deal with rejections. Also, this makes wiring external services hard for end users because they don't know ahead of time what the CIDR is. It also means we can't show them problems in oc status.
|
I really like the purpose of the patch, but @deads2k raises some good points. |
|
ExternalIPCIDR as a concept makes 0 sense. These are IP addresses assigned to hosts. The idea that some 'range' is valid is non-nonsensical... While I agree that we should prevent normal users from using externalIPs by default, this is exactly the same problem as hostNetwork. And while this is a different object, I think it should be solved the same way.... |
|
Let me elaborate on the 'makes 0 sense'. These are IP addresses that exist on the REAL network and are assigned to the REAL hardware (or virtual hardware). Unlike the other concepts which are sets of addresses that WE define, apply, and manage virtually. A list of ExternalIPCIDRs might make some sense. (Or a list/CIDR per node might make sense). Such a solution would reduce the impact of ExternalIP services getting in the way of command and control traffic. But has little likehood to benefit HostNetwork implications. The same IPs that you would want/expect HostNetwork pods to be able to use are (except maybe in an amazing contrived enviornment) the same IPs that ExternalIP services are going to want to use. I don't see how we can ever make that 'better'... None of this changes the fact that we should disable ExternalIP by default for everyone... |
smarterclayton
force-pushed
the
secure_external_ip
branch
from
c7e2803
to
1424e2c
Compare
|
@deads2k updated with validation and slightly broadened tests |
|
This is a new one https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/12419/console@mrunalp, related to our cgroup thing or something new? |
|
@smarterclayton This one may not be directly related even though it looks like a timing issue. It could even be a kernel bug :/ I will look into it further. |
|
Related upstream issue moby/moby#17653 |
|
Looking some more, this is happening on systemd enabled systems. I will follow up with systemd devs to help figure out why this could be happening. |
|
@smarterclayton I'd like to see a response to #7810 (comment). The restriction of pointing a service to something external seems reasonable on the face of it, but why not a list as he suggests? Reading his comment actually made me wonder if we want a blacklist as well. |
|
|
||
| // Admit determines if the service should be admitted based on the configured network CIDR. | ||
| func (r *externalIPRanger) Admit(a kadmission.Attributes) error { | ||
| if a.GetResource() != kapi.Resource("services") { |
There was a problem hiding this comment.
I don't think you want to match on subresources. We should really update the Handler to do what we want.
|
I'm fine with a list, and maybe blacklist, the original goal was to keep On Tue, Mar 8, 2016 at 7:57 AM, David Eads notifications@github.com wrote:
|
smarterclayton
force-pushed
the
secure_external_ip
branch
2 times, most recently
from
5451f23
to
8ef1624
Compare
|
Made it a slice of strings, some of which can have ! |
| @@ -347,6 +347,11 @@ type MasterNetworkConfig struct { | |||
| ClusterNetworkCIDR string | |||
| HostSubnetLength uint | |||
| ServiceNetworkCIDR string | |||
| // ExternalIPNetworkCIDRs controls what values are acceptable for the service external IP field. If empty, no externalIP | |||
| // may be set. It may contain a comma-delimited list of CIDRs which are checked for access. If a CIDR is prefixed with !, | |||
There was a problem hiding this comment.
"comma-delimited"? Bad comment? Looks like a slice.
|
Description has some stale information. lgtm otherwise. |
smarterclayton
force-pushed
the
secure_external_ip
branch
from
8ef1624
to
1f89870
Compare
|
Updated, [merge] |
Allow IP to be set if the admin sets a CIDR. No controls yet on who can set out of the range. Could be on a limitranger.
smarterclayton
force-pushed
the
secure_external_ip
branch
from
1f89870
to
290ade0
Compare
|
Evaluated for origin test up to 290ade0 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/2195/) |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/2195/) (Image: devenv-rhel7_3750) |
|
Evaluated for origin merge up to 290ade0 |
|
[merge] On Wed, Mar 16, 2016 at 12:36 PM, OpenShift Bot notifications@github.com
|
Merged by openshift-bot
Allow IP to be set if the admin sets a CIDR. No controls yet on who can
set out of the range. Could be on a limitranger.
Fixes #7808
@derekwaynecarr @deads2k @knobunc this closes the potential security hole for online