OCPBUGS-8347: Disable the check for scheduler's bind-address option, the option was removed from newer kuber versions #10377
Conversation
…the option was removed from newer kuber versions
The `scheduler_no_bind_address` option concerns exposing port 10251/TCP
of the scheduler to any other interface than localhost using the
bind-address parameter. The healthz service was running unauthenticated
on that port, so it was important that it is not bound to outside facing
interfaces.
However, the unsecure port option was removed completely in Kube
versions starting with 1.23:
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
which means that the bind-address parameter is now safe to use.
And because OCP 4.9 is the last one to use kube 1.22:
https://access.redhat.com/solutions/4870701
and because OCP 4.8 is the oldest supported now, we can restrict this
rule to OCP 4.8 and 4.9.
jhrozek
force-pushed
the
bind-address-disable
branch
from
705d9e1
to
778fae2
Compare
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
Code Climate has analyzed commit 778fae2 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.9% (0.0% change). View more on Code Climate. |
|
/test e2e-aws-ocp4-cis |
|
/test help |
|
@jhrozek: The specified target(s) for
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test e2e-aws-ocp4-cis |
|
/test e2e-aws-ocp4-cis-node |
Description:
scheduler_no_bind_addresson OCP releases where it can actually detect a security issueRationale:
The
scheduler_no_bind_addressoption concerns exposing port 10251/TCPof the scheduler to any other interface than localhost using the
bind-address parameter. The healthz service was running unauthenticated
on that port, so it was important that it is not bound to outside facing
interfaces.
However, the unsecure port option was removed completely in Kube
versions starting with 1.23:
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
which means that the bind-address parameter is now safe to use.
And because OCP 4.9 is the last one to use kube 1.22:
https://access.redhat.com/solutions/4870701
and because OCP 4.8 is the oldest supported now, we can restrict this
rule to OCP 4.8 and 4.9.
Review Hints: