Commits on Apr 22, 2020

1. server: Support denying serving Ignition to active nodes and pods …

   Ignition may contain secret data; pods running on the cluster
   shouldn't have access.
   
   This adds opt-in support for denying serving that data.  It is
   disabled by default so we can check whether this would happen
   in any CI scenarios to start.  Run
   `oc -n openshift-machine-config-operator create configmap machine-config-server provision-check=yes`
   to switch to enforcing mode.
   
   First, we deny any request that appears to come from the pod overlay
   network.  This closes off a lot of avenues without any risk.
   
   However, we can't guarantee all in-cluster requests appear to originate from
   the pod network; in some cases according to the SDN team, particularly
   for machines that have multiple NICs.
   
   Hence, this PR also closes off access to any IP that responds on
   port 22, as that is a port that is:
   
    - Known to be active by default
    - Not firewalled
   
   A previous attempt at this was to have an [auth token](openshift#736);
   but this fix doesn't require changing the installer and people's PXE setups.
   
   In the future we may reserve a port in the 9xxx range and have the
   MCD respond on it so that admins who disable/firewall SSH don't
   have indirectly reduced security.

   

   cgwalters committed Apr 22, 2020
   Configuration menu

   • View commit details
   • Copy full SHA for 75db5c2
   • Browse repository at this point

   Copy the full SHA

   75db5c2 View commit details

   Browse the repository at this point in the history