CVE-2021-20288 - ceph-csi is using insecure global_id reclaim

[dredwilliams]

Describe the bug

Whey trying to deploy ceph-csi to use a recently upgraded ceph cluster, the provisioner (RBD, in my case) cannot connect to the ceph cluster -- logs say "permission denied", but in digging in the ceph logs, it trips on the global_id reclaim issue mentioned in the subject CVE:

https://docs.ceph.com/en/latest/security/CVE-2021-20288/

With the ceph cluster properly secured to prevent insecure global_id reuse, ceph-csi cannot connect. When I disabled the protection in the cluster (using the information at the bottom of the above web page), PVCs were appropriately processed and PVs allocated.

Environment details

My Ceph cluster is currently sitting at v16.2.3, but it also occurred when it was at v15.2.11.

I was using the canary image of ceph-csi, then backed down to v3.3.0 in case it was a recent development issue. I'm installing from manifests (no helm charts).

My Kubernetes clusters:

• 1.21.0 (raw upstream)
• 1.20.6 (k3s)

Steps to reproduce

Secure ceph cluster according to instructions in the CVE

Deploy manifests as described in documentation

• configmap properly points to ceph cluster mons
• moved entire deployment to its own namespace

Deploy StorageClass using standard manifest

• namespaces updated to reflect deployment
• ceph cluster ID provided

Deploy sample PVC from distribution

• PVC remains in pending state

Actual results

logs from csi-rbd-provisioner module show repeated retries, all of which result in "rados permission denied" errors

logs from ceph mon show this whenever the provisioner tries to connect:

cephx server client.admin: attempt to reclaim global_id xxxxxx without presenting ticket
cephx server client.admin: could not verify old ticket

The reference to "global_id" recalled the CVE and the ceph config change I had to make to get the warnings to be quiet (i.e. prevent insecure global_id reuse). When I reverted the config back to the insecure state, the PVC was immediately resolved and the PV created.

Expected behavior

ceph-csi properly reclaims global_id so that I can properly secure my ceph cluster.

Logs

Log snippets included above

[Rakshith-R]

Hey @dredwilliams ,Please upgrade to Cephcsi v3.3.1 https://github.com/ceph/ceph-csi/releases/tag/v3.3.1 and check rook/rook#7746 (comment) on how to fix this issue.

[humblec]

Hey @dredwilliams ,Please upgrade to Cephcsi v3.3.1 https://github.com/ceph/ceph-csi/releases/tag/v3.3.1 and check rook/rook#7746 (comment) on how to fix this issue.

Yep and if you are on 3.2.x upgrade to Ceph CSI v3.2.2 Release https://github.com/ceph/ceph-csi/releases/tag/v3.2.2

[nixpanic]

This is a duplicate of #1995

[dredwilliams]

That took care of it -- thanks for the help!