Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforcing Service external IPs #161

Merged
merged 1 commit into from
Dec 11, 2020
Merged

Enforcing Service external IPs #161

merged 1 commit into from
Dec 11, 2020

Conversation

prometherion
Copy link
Member

Closes #159.

@prometherion prometherion self-assigned this Dec 10, 2020
bsctl
bsctl reviewed Dec 11, 2020
View reviewed changes
Copy link
Member

@bsctl bsctl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@prometherion with the current implementation, omitting externalServiceIPs from tenant manifest, the admission control is not in place and all IPs are permitted.

It seems we have following options to block all IPs:

  1. if the externalServiceIPs spec is not declared in the tenant, then no IPs are permitted at all, as stated in Policy to restrict External IPs in Services [CVE-2020-8554] #159. This will be an exception in the general approach where if a spec is not declared, the related admission controller is not applied, eg. IngressClasses. Actually, this different approach could be a bit confusing for the end user.

  2. permit an empty value to the allowed list of IPS, for example

apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
spec:
  externalServiceIPs:
    allowed: []

Option 2 actually works. However, since externalServiceIPs is not mandatory, it is responsibility of the cluster admin to apply that spec in order to mitigate CVE-2020-8554.

Wonder to know your point of view. Thanks.

@prometherion
Copy link
Member Author

omitting externalServiceIPs from tenant manifest, the admission control is not in place and all IPs are permitted.

This looks good to me, it's an expected behavior according to the current implementation and it reflects what we achieved with Storage and Ingress classes.

If CVE must be mitigated, a valid .spec.externalServiceIPs.allowed set of CIDR blocks has to be put in place.

@bsctl
Copy link
Member

bsctl commented Dec 11, 2020

LGTM

@prometherion prometherion force-pushed the issues/159 branch 3 times, most recently from 1f8176d to 4580c84 Compare December 11, 2020 17:21
@prometherion prometherion merged commit 98e441f into master Dec 11, 2020
@prometherion prometherion deleted the issues/159 branch December 11, 2020 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bsctl bsctl bsctl left review comments

Assignees

@prometherion prometherion

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Policy to restrict External IPs in Services [CVE-2020-8554]
2 participants
@prometherion @bsctl