[Bug]: DSPA service endpoint is not secure
Closed this issue · 3 comments
Is there an existing issue for this?
- I have searched the existing issues
Deploy type
ODH Dashboard UI
Version
RHODS 2.4
Environment
OCP 4.12
Current Behavior
When deploying a DSPA, port 8888 is open and accessible via the service to all other resources on the cluster without authentication.
Currently, port 8443 is secured by an oauth-proxy and forwards traffic to localhost:8888, but since port 8888 is exposed, the oauth-proxy can be bi-passed by any other resource that has access to communicate with the service.
Since port 8888 is exposed, another nefarious resource running on the cluster can ex-filtrate data from any DSPA on the cluster including data and artifacts.
Expected Behavior
Port 8888 and 8887 should not be exposed on the service and the only ports on the pod that should be accessible should be port 8443 which is secured with the oauth proxy.
Steps To Reproduce
- Deploy a DSPA
- Connect to the DSPA via
ds-pipeline-pipelines-definition.my-project.svc:8888
from another pod running in any namespace on the cluster without a bearer token
Workaround (if any)
No response
Anything else
No response
@strangiato there is a network policy in place that should be preventing this: https://github.com/opendatahub-io/data-science-pipelines-operator/blob/main/config/internal/common/policy.yaml.tmpl#L21 , only dsp pods should be able to access this port within the dspa's namespace
are you saying this is not working, and other pods/external traffic is able to access the dsp server endpoint?
bump @strangiato ^
Migrated to Jira: https://issues.redhat.com/browse/RHOAIENG-1705