** Information type changed from Private Security to Public Security ** Project changed: neutron => octavia
** Tags removed: lbaas -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1620629 Title: Octavia should filter an Amphora image from a specific tenant Status in octavia: Triaged Bug description: _extract_amp_image_id_by_tag[1] list all images with the 'amphora' tag (or any other tag pre-defined in octavia.conf), sort by creation date and uses the newest one. Side note: at the time of filing this bug, it does not sort properly due to bug 1618921 , but when the fix for bug 1618921 gets merged, this will be the case. For security reasons, _extract_amp_image_id_by_tag should also filter the images and use images owned by pre-defined tenant. Currently, any non-admin tenant can tag an image with the 'amphora' tag and set it to public=True. By doing that, Octavia will now use that newly added image starting from the next time a loadbalancer gets created for any tenant in that openstack setup. Now, if for example the newly created image contains some pre-defined credentials and/or ssh keys so it is accessible via ssh, and if we take into account that each amphora is also connected to the lb-mgmt network. That is exposing that mgmt network for unauthorized access. [1] https://github.com/openstack/octavia/blob/08570831754d9671fbd1756d668f55f191e47ca4/octavia/compute/drivers/nova_driver.py#L35 To manage notifications about this bug go to: https://bugs.launchpad.net/octavia/+bug/1620629/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp