forked from openshift/machine-config-operator
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
server: Support denying serving Ignition to active nodes and pods
Ignition may contain secret data; pods running on the cluster shouldn't have access. This adds opt-in support for denying serving that data. It is disabled by default so we can check whether this would happen in any CI scenarios to start. Run `oc -n openshift-machine-config-operator create configmap machine-config-server provision-check=yes` to switch to enforcing mode. First, we deny any request that appears to come from the pod overlay network. This closes off a lot of avenues without any risk. However, we can't guarantee all in-cluster requests appear to originate from the pod network; in some cases according to the SDN team, particularly for machines that have multiple NICs. Hence, this PR also closes off access to any IP that responds on port 22, as that is a port that is: - Known to be active by default - Not firewalled A previous attempt at this was to have an [auth token](openshift#736); but this fix doesn't require changing the installer and people's PXE setups. In the future we may reserve a port in the 9xxx range and have the MCD respond on it so that admins who disable/firewall SSH don't have indirectly reduced security.
- Loading branch information
Showing
5 changed files
with
201 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters