Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-29793: [release-4.15] Address https://github.com/advisories/GHSA-fg9q-5cw2-p6r9: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs #33

Merged
merged 2 commits into from Mar 20, 2024
Merged

OCPBUGS-29793: [release-4.15] Address https://github.com/advisories/GHSA-fg9q-5cw2-p6r9: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs #33

merged 2 commits into from Mar 20, 2024

Conversation

mhenriks
Copy link

The CVE describes how an attacker may create a PV/PVC in a guest cluster to access any PVC in the infra cluster namespace. The infra clusters may belong to other guest clusters or have been created out of band from the kubevirt-csi driver.

This PR addresses the issue by:

  1. infraClusterLabels are required (but is up to admin to make sure they are unique per tenant)
  2. guest may only access infra PVCs with matching labels
  3. guest can only access PVCs with specific prefix (default is "pvc-")

Shoutout to awels who actually implemented this based on input from davidvossel.

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

Address CVE-2024-1725 - PV allows access to HCP's root node

@mhenriks @awels
Address CVE-2024-1725: Restrict access to infrastructure PVCs by requ…
ccd8fa5 
…iring matching infraClusterLabels on tenant PVCs (kubevirt#103)

The CVE describes how an attacker may create a PV/PVC in a guest cluster to access any PVC in the infra cluster namespace.
The infra clusters may belong to other guest clusters or have been created out of band from the kubevirt-csi driver.

This PR addresses the issue by:

1.  infraClusterLabels are required (but is up to admin to make sure they are unique per tenant)
2.  guest may only access infra PVCs with matching labels
3.  guest can only access PVCs with specific prefix (default is "pvc-")

Shoutout to awels who actually implemented this based on input from davidvossel.

Co-authored-by: Alexander Wels <awels@redhat.com>
Signed-off-by: Michael Henriksen <mhenriks@redhat.com>
@openshift-ci-robot
Copy link

@mhenriks: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

In response to this:

The CVE describes how an attacker may create a PV/PVC in a guest cluster to access any PVC in the infra cluster namespace. The infra clusters may belong to other guest clusters or have been created out of band from the kubevirt-csi driver.

This PR addresses the issue by:

  1. infraClusterLabels are required (but is up to admin to make sure they are unique per tenant)
  2. guest may only access infra PVCs with matching labels
  3. guest can only access PVCs with specific prefix (default is "pvc-")

Shoutout to awels who actually implemented this based on input from davidvossel.

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

Address CVE-2024-1725 - PV allows access to HCP's root node

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@davidvossel
Copy link

/re-title OCPBUGS-29793: [release-4.15] Address CVE-2024-1725: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs

@davidvossel
Copy link

/jira refresh

@openshift-ci-robot
Copy link

@davidvossel: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link

@davidvossel: The referenced Jira(s) [CVE-2024] could not be located, all automatically applied jira labels will be removed.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@davidvossel
Copy link

/retitle OCPBUGS-29793: [release-4.15] Address GHSA-fg9q-5cw2-p6r9: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs

@openshift-ci openshift-ci bot changed the title [release-4.15] Address CVE-2024-1725: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs OCPBUGS-29793: [release-4.15] Address https://github.com/advisories/GHSA-fg9q-5cw2-p6r9: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs Mar 12, 2024
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 12, 2024
@openshift-ci-robot
Copy link

@mhenriks: This pull request references Jira Issue OCPBUGS-29793, which is invalid:

  • expected Jira Issue OCPBUGS-29793 to depend on a bug targeting a version in 4.16.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

The CVE describes how an attacker may create a PV/PVC in a guest cluster to access any PVC in the infra cluster namespace. The infra clusters may belong to other guest clusters or have been created out of band from the kubevirt-csi driver.

This PR addresses the issue by:

  1. infraClusterLabels are required (but is up to admin to make sure they are unique per tenant)
  2. guest may only access infra PVCs with matching labels
  3. guest can only access PVCs with specific prefix (default is "pvc-")

Shoutout to awels who actually implemented this based on input from davidvossel.

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

Address CVE-2024-1725 - PV allows access to HCP's root node

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@davidvossel
Copy link

/jira-refresh

@davidvossel
Copy link

/jira refresh

@openshift-ci-robot
Copy link

@davidvossel: This pull request references Jira Issue OCPBUGS-29793, which is invalid:

  • expected dependent Jira Issue OCPBUGS-30839 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@davidvossel
Copy link

/jira refresh

@openshift-ci-robot
Copy link

@davidvossel: This pull request references Jira Issue OCPBUGS-29793, which is invalid:

  • expected dependent Jira Issue OCPBUGS-30839 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@davidvossel
Copy link

/jira-refresh

@davidvossel
Copy link

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 14, 2024
@openshift-ci-robot
Copy link

@davidvossel: This pull request references Jira Issue OCPBUGS-29793, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.15.z) matches configured target version for branch (4.15.z)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • dependent bug Jira Issue OCPBUGS-30839 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-30839 targets the "4.16.0" version, which is one of the valid target versions: 4.16.0
  • bug has dependents

Requesting review from QA contact:
/cc @LiangquanLi930

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

davidvossel
davidvossel reviewed Mar 14, 2024
View reviewed changes
Copy link

@davidvossel davidvossel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this test didn't exist previously in this branch, but can we get the client_test.go unit tests ported as well? I think that would mean taking the client_test.go file from main and stripping out just the tests in the Context("Snapshot class", func() { section for the backport.

I'm pretty confident your PR works. My concern about backporting the unit tests is ensuring we lock in these changes when future backports occur. I want to make sure we've done our due diligence to prevent a regression especially since this is a CVE.

@mhenriks @awels
Add unit tests for client code
001fd0b 
Co-authored-by: Alexander Wels <awels@redhat.com>
Signed-off-by: Michael Henriksen <mhenriks@redhat.com>
davidvossel
davidvossel reviewed Mar 20, 2024
View reviewed changes
Copy link

@davidvossel davidvossel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 20, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Mar 20, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: davidvossel, mhenriks

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 20, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Mar 20, 2024

@mhenriks: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@davidvossel
Copy link

/label backport-risk-assessed
/label cherry-pick-approved

@openshift-ci openshift-ci bot added backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. labels Mar 20, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit d3bdbce into openshift:release-4.15 Mar 20, 2024
4 checks passed
@openshift-ci-robot
Copy link

@mhenriks: Jira Issue OCPBUGS-29793: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-29793 has been moved to the MODIFIED state.

In response to this:

The CVE describes how an attacker may create a PV/PVC in a guest cluster to access any PVC in the infra cluster namespace. The infra clusters may belong to other guest clusters or have been created out of band from the kubevirt-csi driver.

This PR addresses the issue by:

  1. infraClusterLabels are required (but is up to admin to make sure they are unique per tenant)
  2. guest may only access infra PVCs with matching labels
  3. guest can only access PVCs with specific prefix (default is "pvc-")

Shoutout to awels who actually implemented this based on input from davidvossel.

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

Address CVE-2024-1725 - PV allows access to HCP's root node

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-bot
Copy link

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-kubevirt-csi-driver-container-v4.15.0-202403201702.p0.gd3bdbce.assembly.stream.el8 for distgit ose-kubevirt-csi-driver-rhel8.
All builds following this will include this PR.

@openshift-merge-robot
Copy link

Fix included in accepted release 4.15.0-0.nightly-2024-03-22-044446

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidvossel davidvossel davidvossel left review comments

@rgolangh rgolangh Awaiting requested review from rgolangh

@LiangquanLi930 LiangquanLi930 Awaiting requested review from LiangquanLi930

Assignees

@aglitke aglitke

@davidvossel davidvossel

@awels awels

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@mhenriks @openshift-ci-robot @davidvossel @openshift-bot @openshift-merge-robot @aglitke @awels