Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1996689: Tighten up RestrictedEndpointsAdmission #899

Merged
merged 2 commits into from Sep 4, 2021
Merged

Bug 1996689: Tighten up RestrictedEndpointsAdmission #899

merged 2 commits into from Sep 4, 2021

Conversation

danwinship
Copy link

@danwinship danwinship commented Aug 23, 2021
edited

We prevent users from creating Endpoints that point into the cluster or service networks (or to the cloud metadata server, or to the MCS), but we don't currently prevent the creation of EndpointSlices in the same way.

[EDIT] OK, so actually project admins don't normally have EndpointSlice edit permission anyway. So this part isn't needed to prevent the CVE. However, it does make it so that if the admin chooses to give someone EndpointSlice edit permission, then it will work like the existing Endpoints edit permission; they can make any modification except adding restricted endpoints. The new e2e test checks this.

Also, we were failing to block updates to NotReadyEndpoints in Endpoints, which could potentially be used for a CVE-2021-25740-like attack in the future.

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Aug 23, 2021
@openshift-ci openshift-ci bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Aug 23, 2021
@openshift-ci
Copy link

openshift-ci bot commented Aug 23, 2021

@danwinship: This pull request references Bugzilla bug 1996689, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.0) matches configured target release for branch (4.9.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @wangke19

In response to this:

Bug 1996689: Make RestrictedEndpointsAdmission restrict EndpointSlices as well

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

@danwinship: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@danwinship danwinship mentioned this pull request Aug 23, 2021
Merged
@openshift-ci-robot
Copy link

@danwinship: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@openshift-ci-robot
Copy link

@danwinship: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@danwinship danwinship mentioned this pull request Aug 26, 2021
Merged
@openshift-ci-robot
Copy link

@danwinship: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@openshift-ci-robot
Copy link

@danwinship: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@openshift-ci-robot
Copy link

@danwinship: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@danwinship
Copy link
Author

/hold cancel
This works:

  • ordinary users can edit endpoints as long as they don't add illegal IPs to them
  • ordinary users can't edit endpointslice, as with upstream
  • EndpointsController has unrestricted endpoints permission and EndpointSliceController has unrestricted endpointslice permission

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 26, 2021
aojea
aojea reviewed Aug 26, 2021
View reviewed changes
openshift-kube-apiserver/admission/network/restrictedendpoints/endpoint_admission.go

func (r *restrictedEndpointsAdmission) sliceFindRestrictedIP(slice *discovery.EndpointSlice, restricted []*net.IPNet) error {
for _, endpoint := range slice.Endpoints {
for _, addr := range endpoint.Addresses {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you want to check the EndpointConditions to see if the endpoint is Ready?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? If it has restricted IPs, then it's restricted, regardless of conditions

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because the endpoints code only checks the ready ones?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it was curiosity only, the endpoints code only parses for _, addr := range subset.Addresses , it doesn't parse subsets.NotReadyAddresses

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm... that seems more like a bug in the Endpoints version 😯
(it doesn't currently matter since we don't point any services to the NotReadyAddresses, but someone might use them for something in the future.)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, as I've said, it was mostly curiosity,

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as commented elsewhere, adding NotReadyAddresses validation is a technically a breaking change. If we want that, then we need a good reason, e.g. a CVE.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(it doesn't currently matter since we don't point any services to the NotReadyAddresses, but someone might use them for something in the future.)

I've talked with Stefan and we shouldn't add it because if someone have created it before, after upgrade the endpoint will become invalid and as you say it seems only cosmetical, sorry for the noise #899 (comment)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

commented in the other thread; it's part of CVE-2021-25740; upstream solved that CVE by blocking all Endpoints modifications, we are blocking it with a more surgical blocking. But previously we had missed part of it

@openshift-ci-robot
Copy link

@danwinship: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@danwinship
Copy link
Author

/retest

@danwinship
Copy link
Author

/retest-required

@openshift-ci
Copy link

openshift-ci bot commented Aug 31, 2021

@danwinship: This pull request references Bugzilla bug 1996689, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.0) matches configured target release for branch (4.9.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @wangke19

In response to this:

Bug 1996689: Tighten up RestrictedEndpointsAdmission

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@abhat
Copy link

abhat commented Aug 31, 2021

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 31, 2021
@abhat
Copy link

abhat commented Aug 31, 2021

/test e2e-gcp-upgrade

1 similar comment
@wallylewis
Copy link

/test e2e-gcp-upgrade

@aojea
Copy link

aojea commented Sep 1, 2021

/retest
/lgtm
It seems all comments has been addressed, the discussion about NotReadyAddresses I agree with Dan, it's a potential security hole with low risk of API break (:crossed_fingers: )

@mfojtik mfojtik removed the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Sep 1, 2021
@sttts
Copy link

sttts commented Sep 1, 2021

/approve

@openshift-ci
Copy link

openshift-ci bot commented Sep 1, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhat, aojea, danwinship, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 1, 2021
@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

13 similar comments
@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 75ee307 into openshift:master Sep 4, 2021
@openshift-ci
Copy link

openshift-ci bot commented Sep 4, 2021

@danwinship: Some pull requests linked via external trackers have merged:

The following pull requests linked via external trackers have not merged:

These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Once unlinked, request a bug refresh with /bugzilla refresh.

Bugzilla bug 1996689 has not been moved to the MODIFIED state.

In response to this:

Bug 1996689: Tighten up RestrictedEndpointsAdmission

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@danwinship danwinship deleted the restricted-endpoint-slices branch September 13, 2021 12:39
@matskiv matskiv mentioned this pull request Jan 7, 2022
Closed
@qinqon qinqon mentioned this pull request Jan 11, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

@aojea aojea aojea left review comments

@wangke19 wangke19 Awaiting requested review from wangke19

@deads2k deads2k Awaiting requested review from deads2k

@mfojtik mfojtik Awaiting requested review from mfojtik

Assignees

@abhat abhat

@aojea aojea

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@danwinship @openshift-ci-robot @aojea @abhat @wallylewis @sttts @openshift-bot @mfojtik @openshift-merge-robot