-
Notifications
You must be signed in to change notification settings - Fork 467
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-34373: routes/custom-host permission update for externalCertificate #1652
base: master
Are you sure you want to change the base?
Conversation
@chiragkyal: This pull request references Jira Issue OCPBUGS-34373, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
9e2a1ad
to
29453c9
Compare
/assign @alebedev87 @Miciah |
/cc @lihongan |
/jira refresh |
@lihongan: This pull request references Jira Issue OCPBUGS-34373, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Inactive enhancement proposals go stale after 28d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle stale |
/remove-lifecycle stale |
/jira refresh |
@chiragkyal: This pull request references Jira Issue OCPBUGS-34373, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, a couple of nit picks.
enhancements/ingress/route-secret-injection-for-external-certificate-management.md
Outdated
Show resolved
Hide resolved
enhancements/ingress/route-secret-injection-for-external-certificate-management.md
Outdated
Show resolved
Hide resolved
enhancements/ingress/route-secret-injection-for-external-certificate-management.md
Outdated
Show resolved
Hide resolved
29453c9
to
a0847b3
Compare
/lgtm |
/approve Can I? |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alebedev87 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@Miciah : feel free to unhold if you are fine with the change. |
enhancements/ingress/route-secret-injection-for-external-certificate-management.md
Outdated
Show resolved
Hide resolved
|
||
- Changing the secret name referenced by `.spec.tls.externalCertificate`. | ||
|
||
- **Even keeping the secret name unchanged, requires permission check. Since the state of the external secret cannot be verified.** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This restriction really makes me nervous, for two reasons:
-
This restriction potentially blocks all updates to a route that specifies
spec.tls.externalCertificate
if the user does not have the "custom-host" permission. Even updating an unrelated field or adding an annotation could be blocked. However, we already discussed this concern here: CFE-885:Feature route external certificate validation openshift-apiserver#407 (comment). I'll continue to defer to the API reviewers if this is all right with them. -
It isn't clear how this restriction on updates to the route improves security given that the user could update the secret without updating the route. It seems that giving a user permission to create a route with
spec.tls.externalCertificate
implicitly gives the user permission to update the certificate, so maybe we need to require the user to have update permission in order to specifyspec.tls.externalCertificate
at all.
Can you make sure the EP explicitly calls out the first point (blocking all updates) and clearly addresses the second (how this restriction improves security)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you make sure the EP explicitly calls out the first point (blocking all updates)
Sure, I'll add that information in the EP body.
On the second concern, I think we might need to retain certain points from the Exception in Validations between API server and the router
section which explains that "custom-host" permission check is intentionally done only on the API server and not the router as well.
Post creation of the route if the permissions for `custom-host`
are revoked and the user edits the contents of the secret, the router would still be
able to successfully reload the certificate on the route.
so maybe we need to require the user to have update permission in order to specify spec.tls.externalCertificate at all.
If a user has "custom-host" "create" permission, then "update" permission is optional to update the TLS certificate. Updating TLS certificate requires either create
or update
permission on the routes/custom-host
sub-resource. So, users having "create" permission can do both create and update route with non-empty spec.tls.externalCertificate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you make sure the EP explicitly calls out the first point (blocking all updates)
Sure, I'll add that information in the EP body.
Thanks!
On the second concern, I think we might need to retain certain points from the
Exception in Validations between API server and the router
section which explains that "custom-host" permission check is intentionally done only on the API server and not the router as well.Post creation of the route if the permissions for `custom-host` are revoked and the user edits the contents of the secret, the router would still be able to successfully reload the certificate on the route.
so maybe we need to require the user to have update permission in order to specify spec.tls.externalCertificate at all.
If a user has "custom-host" "create" permission, then "update" permission is optional to update the TLS certificate. Updating TLS certificate requires either
create
orupdate
permission on theroutes/custom-host
sub-resource. So, users having "create" permission can do both create and update route with non-emptyspec.tls.externalCertificate
I see—create permission is already sufficient to update spec.tls.certificate
, so it would be inconsistent to require update permission to specify an external certificate. Moreover, requiring update permission to specify an external certificate doesn't prevent the user from updating the external certificate after the permission has been revoked. Do I understand correctly?
That leaves me with two unanswered questions:
- How does restricting updates on the route improve security when someone could update the secret for the external certificate?
- Can we prevent the route owner from updating the secret after custom-host create/update permissions have been revoked? Or, do we just need to accept (and document!) that giving someone permission to use an external certificate effectively gives them irrevocable permission to update the certificate later on?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I'll add that information in the EP body.
Added
Moreover, requiring update permission to specify an external certificate doesn't prevent the user from updating the external certificate after the permission has been revoked. Do I understand correctly?
Yes, that's correct. Users can update the external certificate (secret) even after the "custom-host" permission is revoked.
How does restricting updates on the route improve security when someone could update the secret for the external certificate?
You're right, it doesn't provide additional security in this context. As mentioned in the EP, this is a known limitation.
Can we prevent the route owner from updating the secret after custom-host create/update permissions have been revoked? Or, do we just need to accept (and document!) that giving someone permission to use an external certificate effectively gives them irrevocable permission to update the certificate later on?
- One external certificate (secret) could be used (shared) by multiple routes. After the "custom-host" permissions are revoked for a certain route owner, blocking the secret update could cause issues for other route owners.
I haven't been able to identify an easier way to address this currently; it likely requires additional or potentially complex changes. This is an existing drawback, and since we haven't found a clear workaround, it should be documented.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed in the meeting, since this is an existing design choice and the bug is focused on making the custom-host
permission consistent, does it make sense to discuss the resolution as part of a separate ticket if that is really a security concern?
New changes are detected. LGTM label has been removed. |
ca4e9d0
to
d336c84
Compare
…ficate Signed-off-by: chiragkyal <ckyal@redhat.com>
d336c84
to
b7494a3
Compare
@chiragkyal: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
https://issues.redhat.com//browse/OCPBUGS-34373