[Bug]: DSPA service endpoint is not secure

Question

[Bug]: DSPA service endpoint is not secure

Closed this issue 8 months ago · 3 comments

strangiato commented 9 months ago

Is there an existing issue for this?

I have searched the existing issues

Deploy type

ODH Dashboard UI

Version

RHODS 2.4

Environment

OCP 4.12

Current Behavior

When deploying a DSPA, port 8888 is open and accessible via the service to all other resources on the cluster without authentication.

Currently, port 8443 is secured by an oauth-proxy and forwards traffic to localhost:8888, but since port 8888 is exposed, the oauth-proxy can be bi-passed by any other resource that has access to communicate with the service.

Since port 8888 is exposed, another nefarious resource running on the cluster can ex-filtrate data from any DSPA on the cluster including data and artifacts.

Expected Behavior

Port 8888 and 8887 should not be exposed on the service and the only ports on the pod that should be accessible should be port 8443 which is secured with the oauth proxy.

Steps To Reproduce

Deploy a DSPA
Connect to the DSPA via ds-pipeline-pipelines-definition.my-project.svc:8888 from another pod running in any namespace on the cluster without a bearer token

Workaround (if any)

No response

Anything else

No response

Answer 1 · 2023-12-08T18:19:58.000Z

@strangiato there is a network policy in place that should be preventing this: https://github.com/opendatahub-io/data-science-pipelines-operator/blob/main/config/internal/common/policy.yaml.tmpl#L21 , only dsp pods should be able to access this port within the dspa's namespace

are you saying this is not working, and other pods/external traffic is able to access the dsp server endpoint?

Answer 2 · 2024-01-04T15:39:15.000Z

bump @strangiato ^

Answer 3 · 2024-01-11T17:34:14.000Z

Migrated to Jira: https://issues.redhat.com/browse/RHOAIENG-1705