Remote security groups grant access to any IP listed in allowed-address-pairs on port in Red Hat OpenStack Platform
Issue
Remote security groups grant access to any IP listed in allowed-address-pairs on port in Red Hat OpenStack Platform
Diagram
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
compute-1 compute-0
XXX
XXXXXXXXXXXX XXXX 172.16.0.13/24+-----------+
+---------------+ X XX X +---------------+ +---------------+ |
| | XXXX Network XX | | | | |
| JUMPSERVER +----------+X XX X+--------+ ROUTER +---------------+ VM | |
+---------------+ LXXXX X XXXXX +---------------+ +---------------+ |
XX |
192.168.0.203/24 10.0.0.11/24 172.16.0.12/24 |
+ + |
+ + +
security group: default security group: allow any
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Setup
- ROUTER is a router for VM
- ROUTER port 10.0.0.11/24, 172.16.0.12/24 both use allowed-address-pairs to allow routing from/to 192.168.0.0/24 from/to 172.16.0.0/24
- ROUTER port 10.0.0.11/24, 172.16.0.12/24 both use the default security group
- VM uses allow-any security group
- default security group is configured to allow tcp/any from remote default
+--------------------------------------+----------------+-----------+-----------+---------------+------------------------+
| id | security_group | direction | ethertype | protocol/port | remote |
+--------------------------------------+----------------+-----------+-----------+---------------+------------------------+
| 9be0a25e-32c0-4926-a63c-zzyyxxwwvvuu | default | ingress | IPv4 | 1-65535/tcp | default (group) |
+--------------------------------------+----------------+-----------+-----------+---------------+------------------------+
Observation
- 192.168.0.203/24 can access TCP/22 on 172.16.0.13/24 (and on 10.0.0.11/24)
- this does only happen when the remote security group feature is used, the current workaround is to use normal security groups, without the remote security group feature
Environment
Red Hat OpenStack Platform 8
Red Hat OpenStack Platform 9
Red Hat OpenStack Platform 10
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.