THREESCALE 9308 HeadCrab Vulnerability (Redis)

[valerymo]

Jira: https://issues.redhat.com/browse/THREESCALE-9308

This PR is recreated from #954, that was closed because of significant changes in master

• Current PR is intended to prevent redis replication and slaves creation to prevent HeadCrab Vulnerability.
• for Internal Redis Only.
• If Redis is Internal than following records are added to configuration to disable replicaoff and slaveoff redis cli commands:
  rename-command REPLICAOF ""
  rename-command SLAVEOF ""
• If both or one of these rename-command records removed or not found in redis-config config map - controller will restore them.
• PR does not prevent changes to other settings in the reids configuration (not REPLICAOF or SLAVEOF)

Tests Preparation - files

• s3-creds-secret.yaml

kind: Secret
apiVersion: v1
metadata: 
  name: s3-credentials
  namespace: 3scale-test
data: 
  AWS_ACCESS_KEY_ID: QUtJQVY2SVcccc
  AWS_SECRET_ACCESS_KEY: aU5VbWdZY3hjSDFccc
  AWS_BUCKET: dm1vY2NzZjZxOGxyZWRoYXRyaGccccc
  AWS_REGION: ZXUtd2Vcccc
type: Opaque

• apimanagerCR.yaml

apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
  name: example-apimanager
spec:
  system: 
    fileStorage: 
      simpleStorageService: 
        configurationSecretRef: 
          name: s3-credentials
  wildcardDomain: apps.xxxxxx.axxxx.xxx.xxxxx.org

Validation

• get this PR

cd .../3scale-operator and run 3scale installation:

make install
oc new-project 3scale-test
make download
make run

• in another xterm:

oc apply -f s3-creds-secret.yaml
oc apply -f apimanagerCR.yaml

• Check that redis-config ConfigMap has required changes:

$ oc describe cm redis-config |grep rename-command
rename-command REPLICAOF ""
rename-command SLAVEOF ""

• Check that replicaof and slaveof commands are disabled.
  Expected behavior as in example below

kubectl exec -ti $(kubectl get pods -l deployment=backend-redis -o name) -- /bin/bash
bash-4.2$ redis-cli 
127.0.0.1:6379> replicaof 10.10.10.10 6379
(error) ERR unknown command `replicaof`, with args beginning with: `10.10.10.10`, `6379`,
127.0.0.1:6379> replicaof
(error) ERR unknown command `replicaof`, with args beginning with: 
127.0.0.1:6379> slaveof
(error) ERR unknown command `slaveof`, with args beginning with: 
127.0.0.1:6379> 

Notes: Internally, within redis system, the slaveof and replicaof commands will be disabled.
So the only way to enable it would be changing the configuration
See next item - that operator is controllilng redis-config config map and will restore records that prevening HeadCrab Vulnerability.

• Check that redis-config config map changes are reverted

  • Edit config map - delete rename-command REPLICAOF "" or/and rename-command SLAVEOF ""

  $ oc edit cm redis-config
  ......
  ......
  // delete these lines
    rename-command REPLICAOF ""
    rename-command SLAVEOF ""
  

  $ oc edit cm redis-config
  configmap/redis-config edited
  

  • Check configMap and see that these lines are exists (reconsiler reverted configmap)

  rename-command REPLICAOF ""
  rename-command SLAVEOF ""
  .....
  Events:  <none>
  $ oc describe cm redis-config
  

Check Upgrade

Following validation was done

• Create Images/Indexes for master and for branch of PR

• Install master ; check that redis-config CM does Not contain rename-command for REPLICAOF and SLAVEOF

$ oc describe cm redis-config |grep rename-com

• Do upgrade and check that Redis configuration was updated, new records added:

$ oc describe cm redis-config |grep rename-com
rename-command REPLICAOF ""
rename-command SLAVEOF ""

Regression testing

PR does not prevent changes to other settings in the reids configuration (not REPLICAOF or SLAVEOF)
Make sure it works as expected:

• edit the redis-config configuration map, edit one or more entries/definitions.
• describe the redis-config configuration map and make sure the changes are in place.

Wrong formatting of redis configuration
In Redis, if the configuration file (redis.conf) contains a setting with an incorrect name or syntax, Redis will typically treat it as an error. Redis expects the configuration file to be correctly formatted with valid configuration directives.
If there's a typo or an unrecognized setting name in the configuration file, Redis will log an error when starting up. - -- try change one or rename-command or other settings name, or add something liketest in redis-config config map. Expected behavior:

$ oc edit cm redis-config
....
    dir /var/lib/redis/data
    xxxrename-command SLAVEOF ""
    xxxrename-command REPLICAOF ""
kind: ConfigMap
metadata:
.......
$ oc edit cm redis-config
configmap/redis-config edited

$ oc get pod |grep redis
backend-redis-6fcbd5964f-tnp7n           0/1     CrashLoopBackOff   1 (5s ago)    6s
system-redis-77bbb6f955-d9nxs            0/1     CrashLoopBackOff   1 (5s ago)    6s

$ oc logs backend-redis-6fcbd5964f-tnp7n
*** FATAL CONFIG FILE ERROR (Redis 6.2.7) ***
Reading the configuration file, at line 47
>>> 'xxxrename-command SLAVEOF ""'
Bad directive or wrong number of arguments
$ 

• restore changed settings:

    rename-command SLAVEOF ""
    rename-command REPLICAOF ""
kind: ConfigMap
metadata:
  creationTimestamp: "2024-04-08T16:07:40Z"
$ oc edit cm redis-config
configmap/redis-config edited

$ oc get pod |grep redis
backend-redis-59bd88f884-4tvrk           1/1     Running            0             39s
system-redis-549598d55b-nk9lr            1/1     Running            0             38s

[valerymo]

• Local Fresh install TEST

$ oc get pod  |grep redis
backend-redis-76c9c446cc-6hrsj           1/1     Running     0               4m35s
system-redis-68857df9c7-zgfr2            1/1     Running     0               4m33s

$ oc rsh backend-redis-76c9c446cc-6hrsj
sh-5.1$ redis-cli
127.0.0.1:6379> replicaof
(error) ERR unknown command `replicaof`, with args beginning with: 
127.0.0.1:6379> replicaof 10.10.10.10 6379
(error) ERR unknown command `replicaof`, with args beginning with: `10.10.10.10`, `6379`, 
127.0.0.1:6379> slaveof
(error) ERR unknown command `slaveof`, with args beginning with: 
127.0.0.1:6379> 
......

$ oc rsh system-redis-68857df9c7-zgfr2
sh-5.1$ redis-cli
127.0.0.1:6379> replicaof
(error) ERR unknown command `replicaof`, with args beginning with: 
127.0.0.1:6379> slaveof
(error) ERR unknown command `slaveof`, with args beginning with: 
127.0.0.1:6379>
.....

• regarding comment in old PR 954 possible redeployment of redis pod in Local Fresh install

Looks like it happens for redis-system:
Below is log for fresh local install

$ oc rollout history deploy backend-redis
deployment.apps/backend-redis 
REVISION  CHANGE-CAUSE
1         <none>

$ oc rollout history deploy system-redis 
deployment.apps/system-redis 
REVISION  CHANGE-CAUSE
1         <none>
2         <none>

[valerymo]

Applied and tested: https://github.com/valerymo/3scale-operator/pull/5/files -
to avoid redeployment of redis pod in fresh installation.
(Changed applied manually; not git merge)

$ oc rollout history deploy backend-redis
deployment.apps/backend-redis 
REVISION  CHANGE-CAUSE
1         <none>

$ oc rollout history deploy system-redis
deployment.apps/system-redis 
REVISION  CHANGE-CAUSE
1         <none>

$ oc get pod |grep redis
backend-redis-6c69fd9bf9-925xg           1/1     Running     0               4m7s
system-redis-745b655b47-flk7r            1/1     Running     0               4m7s

$ oc rsh backend-redis-6c69fd9bf9-925xg
sh-5.1$ redis-cli
127.0.0.1:6379> slaveof
(error) ERR unknown command `slaveof`, with args beginning with: 
127.0.0.1:6379> replicaof 10.10.10.10 6379
(error) ERR unknown command `replicaof`, with args beginning with: `10.10.10.10`, `6379`, 
127.0.0.1:6379> replicaof
(error) ERR unknown command `replicaof`, with args beginning with: 
127.0.0.1:6379> slaveof
(error) ERR unknown command `slaveof`, with args beginning with: 
127.0.0.1:6379> 

[valerymo]

TODO - retest Upgrade from 2.14 to PR

[MStokluska]

I think this needs to be:
existingString = existingString + "\n" + <RENAME_COMMAND> in both, REPLICAOF and SLAVEOF.
Otherwise we are going to need 2 reconciles for both to be applied if both are missing.

[eguzki]

make these changes in another PR, please. They are not related to this PR issue

[eguzki]

this is my own leftoever, can you please remove it? thnx

[eguzki]

I will leave this up to you. I would not do this. I would not "modify" a file concatenating strings. It's error prone. If the rename-command REPLICAOF \"\" is not there, the file is invalid and hence, the operator updates it entirely.

[briangallagher]

the idea was to append to the existing config if not present rather than fully replace it. This allows for a custom configuration to continue. It's not clear from the documentation if edits to the configuration are allowed / supported but we don't prevent a user from doing so, so we can assume at least some customers have done so.

[eguzki]

LGTM then

[eguzki]

out of interest, what is this doing?