MongoDB Resource Security Fixes

Fixes CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates

CVE description:
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.

Common Weakness Enumeration:
CWE-295: Improper Certificate Validation
CVSS score: 6.4
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected versions:

• 1.0, 1.1
• 1.2.0 - 1.2.4
• 1.3.0 - 1.3.1
• 1.4.0 - 1.4.4

Fixed Versions:

• 1.4.5
• 1.2.5

MongoDB Resource Security Fixes

Fixes CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates

CVE description:
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.

Common Weakness Enumeration:
CWE-295: Improper Certificate Validation
CVSS score: 6.4
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected versions:

• 1.0, 1.1
• 1.2.0 - 1.2.4
• 1.3.0 - 1.3.1
• 1.4.0 - 1.4.4

Fixed Versions:

• 1.4.5
• 1.2.5

MongoDB Resource Changes

• Supports changes in the Cloud Manager API.

Ops Manager Resource Changes (Beta Release)

• Properly terminates resources with a termination hook.
• Implements stricter validations.

Bug Fixes

• Fixes an issue when working with Ops Manager with custom HTTPS certificates.

Kubernetes Operator Changes

• Added webhook to validate Kubernetes Operator configuration.

MongoDB Resource Changes

• Adds support for sidecars for MongoDB Kubernetes resource pods using the spec.podSpec.podTemplate setting.
• Allows users to change the pod SecurityContext to allow privileged sidecar containers.

Ops Manager Resource Changes (Beta Release)

• Adds the spec.podSpec configuration settings for Ops Manager, the Backup Daemon, and the Application Database.
• Ops Manager image for version 4.2.8 is available.

Bug Fixes

MongoDB resources:

• Fixes potential race conditions when deleting MongoDB Kubernetes resources.

Ops Manager resources:

• Supports the spec.clusterDomain setting for Ops Manager and Application Database resources.
• No longer starts monitoring and backup processes for the Application Database.

MongoDB Resource Changes

• Runs MongoDB database Kubernetes pods under a dedicated Kubernetes service account: mongodb-enterprise-database-pods.
• Adds the spec.podSpec.podTemplate setting, which allows you to apply templates to Kubernetes pods that the Kubernetes Operator generates for each database StatefulSet.
• Renames the spec.clusterName setting to spec.clusterDomain.

Ops Manager Resource Changes (Beta Release)

• Adds offline mode support for the application database. Bundles MongoDB Enterprise version 4.2.2 with the application database image. Internet access is not required to install the application database if spec.applicationDatabase.version is set to 4.2.2-ent or omitted.
• Renames the spec.clusterName setting to spec.clusterDomain.
• Ops Manager images for versions 4.2.6 and 4.2.7 are available.

Bug Fixes

MongoDB resources:

• Fixes the order of sharded cluster component creation.
• Allows TLS to be enabled on Amazon EKS.

Ops Manager resources:

• Enables the Kubernetes Operator to use the spec.clusterDomain setting.

CVE fixes

• CVE-2019-11729
   

Bug fixes

• Fixed a bug in Ops Manager Custom Resource which prevented running MongoDB backup for 3.6 and 4.0 versions
   

New Features

MongoDB Resource Changes

• Split horizon DNS support for MongoDB replica sets has been added, allowing clients to connect to replica set from outside of the Kubernetes cluster.
• Operator generated certificates can be requested with additional certificate domains, making them valid for the specified subdomains.

Ops Manager Resource Changes

• MongoDBOpsManager has been promoted to beta! Ops Manager version 4.2.4 is available.
• Backup and restore can be enabled in Operator-deployed Ops Manager instances. This is a semi-automated process that will deploy everything you need to enable backups in Ops Manager. Backup should be enabled by setting the spec.backup.enabled attribute on the Ops Manager custom resource. The Head DB, Oplog Store and S3 Snapshot Store can be configured using MongoDBOpsManager specification.
• Ops Manager can be accessed from outside the Kubernetes cluster by setting the spec.externalConnectivity property.
• Ops Manager's AppDB (the MongoDB database that Ops Manager runs on) has SCRAM-SHA1 authentication enabled by default.
• Support for Openshift (Red Hat UBI Images) has been added.

Please see the sample YAML files in the samples directory for more information on how to enable new features.

Bug fixes

• Overall stability of X509 user management has been improved.

MongoDB Resource Changes

• Important! Requires one MongoDB resource per Ops Manager project. If you have more than one MongoDB resource in a project, all resources will change to a Pending status and the Kubernetes Operator won’t perform any changes on them. The existing MongoDB databases will still be accessible. You must migrate to one resource per project.
• Supports SCRAM-SHA authentication mode. See the MongoDB Enterprise Kubernetes Operator GitHub repository for examples.
• Requires that the project (ConfigMap) and credentials (secret) referenced from a MongoDB resource be in the same namespace.
• Adds OpenShift installation files (YAML file and Helm chart configuration).

Ops Manager Resource Changes (Alpha Release)

• Supports highly available Ops Manager resources by introducing the spec.replicas setting.
• Runs pods as a non-root user.

Important: This release introduces significant changes that may not be compatible with previous deployments or resource configurations. Read https://docs.mongodb.com/kubernetes-operator/stable/tutorial/migrate-to-single-resource/ before installing or upgrading the Kubernetes Operator.

Specification Schema Changes

• Moves to a one cluster per project configuration. This follows the warnings introduced in a previous version of the operator. The operator now requires each cluster to be contained within a new project.
• Authentication settings are now contained within the security section of the MongoDB resource specification rather than the project ConfigMap.
• Replaces the project field with the spec.opsManager.configMapRef.name or spec.cloudManager.configMapRef.name fields.
• User resources now refer to MongoDB resources rather than project ConfigMaps.
• No longer requires data.projectName in the project ConfigMap. The name of the project defaults to the name of the MongoDB resource in Kubernetes.

Ops Manager Resource Changes

This release introduces signficant changes to the Ops Manager resource’s architecture. The Ops Manager application database is now managed by the Kubernetes Operator, not by Ops Manager.

Bug Fixes

• Stops unnecessary recreation of NodePorts.
• Fixes logging so it’s always in JSON format.
• Sets USER in the Kubernetes Operator Docker image.

• Increased stability of X509 enabled Sharded Cluster deployments.
• Internal testing infrastructure improvements.

• Update: The MongoDB Enterprise Kubernetes Operator will remove support for multiple clusters per project in a future release. If a project contains more than one cluster, a warning will be added to the status of the MongoDB Resources. Additionally, any new cluster being added to a non-empty project will result in a Failed state, and won’t be processed.
• Fix: The overall stability of the operator has been improved. The operator is now more conservative in resource updates both on Kubernetes and Cloud Manager or Ops Manager.

• Security Fix: Clusters configured by Operator versions 1.0-1.2.1 used an insufficiently-strong keyfile for internal cluster authentication between mongoDs. This only affects clusters which are using x509 for user-authentication, but are not using x509 for internal cluster authentication. Users are advised to upgrade to 1.2.2, which will replace all managed keyfiles.

• Security Fix: Clusters configured by with Operator versions 1.0-1.2.1 used an insufficiently-strong password to authenticate the MongoDB Agent. This only affects clusters which have been manually configured to enable SCRAM-SHA1, which is not a supported configuration. Users are advised to upgrade to 1.2.2, which will reset these passwords.

• Fixed bug which caused the Operator to incorrectly generate CSRs for agent x509 certificates when approved CSRs have been deleted

• If the OPERATOR_ENV environment variable is set to something unrecognized by the Operator, it will no longer result in a "CrashLoopBackOff" of the pod. A default value of "prod" is used.

• The Operator now supports more than 100 agents in a given project

• A new Resource, MongoDBOpsManager has been added to allow Ops Manager 4.2 to be deployed into your Kubernetes cluster. This feature is in alpha stage.
• A Readiness Probe has been added to the MongoDB Pods to make rolling upgrades more reliable.

• Fixed sample yaml files, in particular, the attribute related to featureCompatibilityVersion
• Fixed a bug that will not allow for TLS to be disabled in a deployment
• Added script (under the "support" directory) that can be used to gather information of your MongoDB resources in Kubernetes
• In a TLS environment, the operator can now use a custom Certificate Authority. All the certificates need to be passed in the form of Secret Kubernetes objects

The MongoDB Enterprise Kubernetes Operator is now Generally Available and is ready to be used in production environments

Supported Kubernetes Distributions:

• Kubernetes v1.11+

If you have any questions regarding this release, reach us out at #enterprise-kubernetes Slack channel.

The MongoDB Enterprise Kubernetes Operator can be used to provision any kind of MongoDB deployment in the Kubernetes Cluster of your organization:

• Standalone
• Replica Set
• Sharded Cluster

The Operator can automatically configure TLS on the MongoDB deployments and have all traffic encrypted, with servers and clients being able to verify each other’s identities.

It can manage MongoDB Users as well, enabling connections to your databases using x509 authentication.

Documentation on how to install and configure the Operator can be found here.

• Rolling upgrade of MongoDB resource ensures that rs.stepDown() is called for primary member (requires MongoDB version >= 4.0.8 or 4.1.10)
• During a MongoDB Major update, the featureCompatibilityVersion field can be set
• Fixed a bug when replicas with more than 7 members could not be created
• x509 Authentication can be enabled at a Project level. Requires Ops Manager >= 4.0.11 or Cloud Manager
• Internal Cluster Authentication based on x509 can be enabled at a Deployment level
• MongoDB Users with x509 authentication can be created, using the new MongoDBUser Custom Resource

• NodePort service creation can be disabled.
• TLS can be enabled for internal authentication between the MongoDB members in Replica Sets and Sharded Clusters. The TLS certificates will be created automatically by the Operator. Please refer to the sample yaml files on samples/extended directory for a full set of examples on how to achieve this.
• Wide (or asterisk) roles have been replaced with strict listing of verbs in roles.yaml
• Printing mdb objects with kubectl will give more information about the MongoDB object (type, state and MongoDB Server version)

Docker Images
A list of the packages installed, and any security vulnerabilities detected in our build process, are outlined here

• For the MongoDB Enterprise Operator
  https://quay.io/repository/mongodb/mongodb-enterprise-operator?tab=tags

• For the MongoDB Enterprise Database
  https://quay.io/repository/mongodb/mongodb-enterprise-database?tab=tags

• The Operator and Database images are now based on ubuntu:16.04
• The Operator now uses a single CustomResourceDefinition MongoDB instead of MongoDbReplicaSet, MongoDbShardedCluster and MongoDbStandalone
  • It's important to follow the upgrade procedure described here to transfer existing MongoDbReplicaSet, MongoDbShardedCluster and MongoDbStandalone resources to the new format

A list of the packages installed, and any security vulnerabilities detected in our build process, are outlined here:

• For the MongoDB Enterprise Operator
  https://quay.io/repository/mongodb/mongodb-enterprise-operator?tab=tags
• And for the MongoDB Enterprise Database
  https://quay.io/repository/mongodb/mongodb-enterprise-database?tab=tags

• The Operator and Database images are now based on debian:stretch-slim which is the latest and up-to-date Docker image for Debian 9.