Octavia should filter an Amphora image from a specific tenant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
octavia |
Fix Released
|
Low
|
Michael Johnson |
Bug Description
_extract_
sort by creation date and uses the newest one.
Side note: at the time of filing this bug, it does not sort properly due to bug 1618921 , but when the fix for bug 1618921 gets merged, this will be the case.
For security reasons, _extract_
Currently, any non-admin tenant can tag an image with the 'amphora' tag and set it to public=True.
By doing that, Octavia will now use that newly added image starting from the next time a loadbalancer gets created for any tenant in that openstack setup.
Now, if for example the newly created image contains some pre-defined credentials and/or ssh keys so it is accessible via ssh, and if we take into account that each amphora is also connected to the lb-mgmt network. That is exposing that mgmt network for unauthorized access.
summary: |
- Octavia should select an Amphora image from a specific tenant + Octavia should filter an Amphora image from a specific tenant |
affects: | octavia → neutron |
information type: | Private Security → Public Security |
affects: | neutron → octavia |
tags: | removed: lbaas |
Changed in octavia: | |
status: | Triaged → In Progress |
Currently marked neutron because no one could see it when it was octavia. Leaving neutron until we get launchpad sorted out.