OCPBUGS-87109: Scope minted AWS IAM policies to cluster-owned resources#1047
Conversation
Add an implicit StringEquals condition to every Allow statement in minted IAM user policies, requiring the standard kubernetes.io/cluster infraName tag (with a value of "owned"). This restricts minted credentials to resources tagged as belonging to the cluster, reducing the blast radius if credentials are compromised (CVE-2026-10843). The CVE advisory suggests tightening Resource ARNs from "*" to specific ARNs, but this isn't feasible: CredentialsRequest manifests are authored before cluster infrastructure exists, so resource ARNs for specific clusters are not known when the CR is authored. Not all AWS actions support the aws:ResourceTag condition. Actions that create new resources fail (because the resource doesn't exist yet). Describe and List actions lack resource-level permissions. Some services don't support it at all. However, within the payload, the list is both finite and rarely changed. As such, we can easily classify the entire list into supported/incompatible categories. Unrecognized actions produce an error state, with directions pointing the developer to update the classification list in the CCO. The condition is not applied to Deny statements (this would actually narrow and weaken the policy), nor is it applied to the auto-generated iam:GetUser self-lookup statement, which is already scoped to just the own user's ARN. Co-authored-by: Cursor <cursoragent@cursor.com>
|
@amitesh1201: This pull request references Jira Issue OCPBUGS-87109, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## release-4.20 #1047 +/- ##
================================================
+ Coverage 46.79% 47.05% +0.26%
================================================
Files 97 97
Lines 12005 12053 +48
================================================
+ Hits 5618 5672 +54
+ Misses 5769 5762 -7
- Partials 618 619 +1
🚀 New features to boost your workflow:
|
|
/test e2e-aws-qe |
|
/jira refresh |
|
@amitesh1201: This pull request references Jira Issue OCPBUGS-87109, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/override ci/prow/security |
|
/approve |
|
/label backport-risk-assessed |
|
@dlom: Overrode contexts on behalf of dlom: ci/prow/security DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@amitesh1201: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amitesh1201, dlom The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/payload 4.20 nightly blocking |
|
@dlom: trigger 11 job(s) of type blocking for the nightly release of OCP 4.20
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/6ed6fb10-758c-11f1-84ed-7d7f6e54a37a-0 |
|
/verified by ci |
|
@racheljpg: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@amitesh1201: This pull request references Jira Issue OCPBUGS-87109, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@amitesh1201: This pull request references Jira Issue OCPBUGS-87109, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (ocp-sustaining-admins@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
e081490
into
openshift:release-4.20
|
@amitesh1201: Jira Issue Verification Checks: Jira Issue OCPBUGS-87109 Jira Issue OCPBUGS-87109 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
xref: OCPBUGS-87109
Backport of #1043 from master to release-4.20 to fix CVE-2026-10843
Add an implicit
StringEqualscondition to everyAllowstatement in minted IAM user policies, requiring the standardkubernetes.io/clusterinfraNametag (with a value of"owned"). This restricts minted credentials to resources tagged as belonging to the cluster, reducing the blast radius if credentials are compromised (CVE-2026-10843).The CVE advisory suggests tightening
ResourceARNs from "*" to specific ARNs, but this isn't feasible:CredentialsRequestmanifests are authored before cluster infrastructure exists, so resource ARNs for specific clusters are not known when the CR is authored.Not all AWS actions support the
aws:ResourceTagcondition. Actions that create new resources fail (because the resource doesn't exist yet). Describe and List actions lack resource-level permissions. Some services don't support it at all. However, within the payload, the list is both finite and rarely changed. As such, we can easily classify the entire list into supported/incompatible categories. Unrecognized actions produce an error state, with directions pointing the developer to update the classification list in the CCO.The condition is not applied to
Denystatements (this would actually narrow and weaken the policy), nor is it applied to the auto-generatediam:GetUserself-lookup statement, which is already scoped to just the own user's ARN.Backport Notes
tagUser(SDK v1 vs v2 type mismatch) — resolved by keepingaws-sdk-gov1 types (*iam.Tag,aws.String()) with the newccaws.InfraResourceTagValueconstantgo test ./pkg/aws/...hack/verify-action-maps.shadjusted to 4.20.0 nightly stream