Bug 1759182: Block all externalIPs by default #714
Conversation
|
@abhat: This pull request references Bugzilla bug 1759182, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
bugzilla/valid-bug
abhat
force-pushed
the
block_externalips
branch
from
b816cf8
to
e6ef615
Compare
|
/retest |
|
/test e2e-aws-operator |
|
/test e2e-aws |
|
/test e2e-aws-upgrade |
|
So what's the deal with this vs openshift/origin#24390 ? Are they both needed? |
|
Yes, this one is the actual change that will create the ExternalIPRangerAdmissionConfig. The other origin PR only fixes the typo for the module on which the Install method is called. |
|
/hold |
openshift-ci-robot
added
do-not-merge/hold
abhat
force-pushed
the
block_externalips
branch
from
8c4f36f
to
84a2037
Compare
|
/test e2e-aws-operator |
|
Looks good to me. It needs some peer from sdn team to lgtm. |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhat, danwinship, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
https://bugzilla.redhat.com/show_bug.cgi?id=1759182#c12 indicates verification did not pass yet. |
|
Right, I am trying to root cause why the |
|
At this point we are only accepting critical bug fixes for 4.1. This does not seem to meet that target, do you want to close it (and the BZ) or make a case for why it is critical? |
bparees
added
the
priority/awaiting-more-evidence
|
There is a security implication associated with this bug. In 4.1, we didn't have a field in the spec for ExternalIPCIDR, which meant that an arbitrary non-admin user can set external IP on services to any arbitrary IP. We plugged part of the hole by adding a custom RBAC checker. But for the RBAC checker to be "effective" we need this change. IMO, it's critical if we will continue to support 4.1.x. If 4.1.x will be EOL soon, we can close out the bug and the PR. |
https://access.redhat.com/support/policy/updates/openshift 4.1 ends maintenance support when 4.4 GAs. |
|
@abhat please see https://bugzilla.redhat.com/show_bug.cgi?id=1759182#c13 I tend to agree with Scott. But the BZ has no severity assigned, so would like @danwinship and/or @knobunc to ack this is important enough to be backported at this time. |
|
Closing this since we don't see much value in porting/adding fixes for 4.1 |
Only allow external IPs to be configured by cluster administrators and block normal users to set external IPs on a Service.