[vSphere, UPI] I can read the ignition files from outside of the cluster without providing credentials #176
Labels
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
Comments
jomeier
changed the title
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci-robot
added
the
lifecycle/stale
|
This resulted in openshift/enhancements#443 |
binnes
pushed a commit
to binnes/okd
that referenced
this issue
Jul 11, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
in my UPI vSphere setup I am able to get the ignition files for masters and workers with:
from my local PC which is NOT part of the cluster. In my opinion this shouldn't work without providing credentials.
Version: Beta4
The solution for that seems to be to install a firewall around the cluster. But this seems to be kind of a workaround.
I rshed into several pods on my cluster and tried this curl to check, if any user that can enter the terminal of a pod can curl the ignition files and maybe can read cloud provider secrets provided there. In this case I got a 'connection refused' message. A user seems not to be able to get the ignition file. But I feel uncomfortable if this works in all situations.
The ignition files shouldn't be available without protection of the REST API of the machine config daemon at all in my opinion.
Greetings,
Josef
The text was updated successfully, but these errors were encountered: