-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-29793: [release-4.15] Address https://github.com/advisories/GHSA-fg9q-5cw2-p6r9: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs #33
OCPBUGS-29793: [release-4.15] Address https://github.com/advisories/GHSA-fg9q-5cw2-p6r9: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs #33
Conversation
…iring matching infraClusterLabels on tenant PVCs (kubevirt#103) The CVE describes how an attacker may create a PV/PVC in a guest cluster to access any PVC in the infra cluster namespace. The infra clusters may belong to other guest clusters or have been created out of band from the kubevirt-csi driver. This PR addresses the issue by: 1. infraClusterLabels are required (but is up to admin to make sure they are unique per tenant) 2. guest may only access infra PVCs with matching labels 3. guest can only access PVCs with specific prefix (default is "pvc-") Shoutout to awels who actually implemented this based on input from davidvossel. Co-authored-by: Alexander Wels <awels@redhat.com> Signed-off-by: Michael Henriksen <mhenriks@redhat.com>
@mhenriks: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/re-title OCPBUGS-29793: [release-4.15] Address CVE-2024-1725: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs |
/jira refresh |
@davidvossel: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
@davidvossel: The referenced Jira(s) [CVE-2024] could not be located, all automatically applied jira labels will be removed. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/retitle OCPBUGS-29793: [release-4.15] Address GHSA-fg9q-5cw2-p6r9: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs |
@mhenriks: This pull request references Jira Issue OCPBUGS-29793, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/jira-refresh |
/jira refresh |
@davidvossel: This pull request references Jira Issue OCPBUGS-29793, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/jira refresh |
@davidvossel: This pull request references Jira Issue OCPBUGS-29793, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/jira-refresh |
/jira refresh |
@davidvossel: This pull request references Jira Issue OCPBUGS-29793, which is valid. The bug has been moved to the POST state. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this test didn't exist previously in this branch, but can we get the client_test.go unit tests ported as well? I think that would mean taking the client_test.go file from main and stripping out just the tests in the Context("Snapshot class", func() {
section for the backport.
I'm pretty confident your PR works. My concern about backporting the unit tests is ensuring we lock in these changes when future backports occur. I want to make sure we've done our due diligence to prevent a regression especially since this is a CVE.
Co-authored-by: Alexander Wels <awels@redhat.com> Signed-off-by: Michael Henriksen <mhenriks@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: davidvossel, mhenriks The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@mhenriks: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/label backport-risk-assessed |
d3bdbce
into
openshift:release-4.15
@mhenriks: Jira Issue OCPBUGS-29793: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-29793 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
[ART PR BUILD NOTIFIER] This PR has been included in build ose-kubevirt-csi-driver-container-v4.15.0-202403201702.p0.gd3bdbce.assembly.stream.el8 for distgit ose-kubevirt-csi-driver-rhel8. |
Fix included in accepted release 4.15.0-0.nightly-2024-03-22-044446 |
The CVE describes how an attacker may create a PV/PVC in a guest cluster to access any PVC in the infra cluster namespace. The infra clusters may belong to other guest clusters or have been created out of band from the kubevirt-csi driver.
This PR addresses the issue by:
Shoutout to awels who actually implemented this based on input from davidvossel.
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: