New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-8347: Disable the check for scheduler's bind-address option, the option was removed from newer kuber versions #10377
Conversation
…the option was removed from newer kuber versions The `scheduler_no_bind_address` option concerns exposing port 10251/TCP of the scheduler to any other interface than localhost using the bind-address parameter. The healthz service was running unauthenticated on that port, so it was important that it is not bound to outside facing interfaces. However, the unsecure port option was removed completely in Kube versions starting with 1.23: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation which means that the bind-address parameter is now safe to use. And because OCP 4.9 is the last one to use kube 1.22: https://access.redhat.com/solutions/4870701 and because OCP 4.8 is the oldest supported now, we can restrict this rule to OCP 4.8 and 4.9.
705d9e1
to
778fae2
Compare
Code Climate has analyzed commit 778fae2 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.9% (0.0% change). View more on Code Climate. |
/test e2e-aws-ocp4-cis |
/test help |
@jhrozek: The specified target(s) for
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-aws-ocp4-cis |
/test e2e-aws-ocp4-cis-node |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Description:
scheduler_no_bind_address
on OCP releases where it can actually detect a security issueRationale:
The
scheduler_no_bind_address
option concerns exposing port 10251/TCPof the scheduler to any other interface than localhost using the
bind-address parameter. The healthz service was running unauthenticated
on that port, so it was important that it is not bound to outside facing
interfaces.
However, the unsecure port option was removed completely in Kube
versions starting with 1.23:
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
which means that the bind-address parameter is now safe to use.
And because OCP 4.9 is the last one to use kube 1.22:
https://access.redhat.com/solutions/4870701
and because OCP 4.8 is the oldest supported now, we can restrict this
rule to OCP 4.8 and 4.9.
Review Hints: