From 03892097fc46ef2499ac996aef9850efda03bee0 Mon Sep 17 00:00:00 2001 From: mrobson Date: Mon, 11 May 2020 12:14:11 -0400 Subject: [PATCH] Set session scanning to manual to avoid discovering all iSCSI devices during login Move session scanning to before if !b.chapSession --- pkg/volume/iscsi/iscsi_util.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/volume/iscsi/iscsi_util.go b/pkg/volume/iscsi/iscsi_util.go index ec9bdda8791..2e7a439d3ae 100644 --- a/pkg/volume/iscsi/iscsi_util.go +++ b/pkg/volume/iscsi/iscsi_util.go @@ -107,11 +107,18 @@ func updateISCSIDiscoverydb(b iscsiDiskMounter, tp string) error { } func updateISCSINode(b iscsiDiskMounter, tp string) error { + // setting node.session.scan to manual to handle https://github.com/kubernetes/kubernetes/issues/90982 + out, err := execWithLog(b, "iscsiadm", "-m", "node", "-p", tp, "-T", b.Iqn, "-I", b.Iface, "-o", "update", "-n", "node.session.scan", "-v", "manual") + if err != nil { + // don't fail if iscsiadm fails or the version does not support node.session.scan - log a warning to highlight the potential exposure + klog.Warningf("iscsi: failed to update node with node.session.scan=manual, possible exposure to issue 90982: %v", out) + } + if !b.chapSession { return nil } - out, err := execWithLog(b, "iscsiadm", "-m", "node", "-p", tp, "-T", b.Iqn, "-I", b.Iface, "-o", "update", "-n", "node.session.auth.authmethod", "-v", "CHAP") + out, err = execWithLog(b, "iscsiadm", "-m", "node", "-p", tp, "-T", b.Iqn, "-I", b.Iface, "-o", "update", "-n", "node.session.auth.authmethod", "-v", "CHAP") if err != nil { return fmt.Errorf("iscsi: failed to update node with CHAP, output: %v", out) }