Document limitation in [Spike] Secure MCS Endpoint MCO-59

Michael Burke · Michael Burke · commit 255de05e2a0b · 2023-04-11T09:21:09.000-04:00
diff --git a/modules/installation-about-custom-azure-vnet.adoc b/modules/installation-about-custom-azure-vnet.adoc
@@ -99,10 +99,14 @@ The network security group rules must be in place before you install the cluster
 |
 |===
 
-[NOTE]
-====
-Since cluster components do not modify the user-provided network security groups, which the Kubernetes controllers update, a pseudo-network security group is created for the Kubernetes controller to modify without impacting the rest of the environment.
-====
+include::snippets/mcs-endpoint-limitation.adoc[]
+
+Because cluster components do not modify the user-provided network security groups, which the Kubernetes controllers update, a pseudo-network security group is created for the Kubernetes controller to modify without impacting the rest of the environment.
+
+.Additional resources
+
+* xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN network plugin]
+
 
 [id="installation-about-custom-azure-permissions_{context}"]
 == Division of permissions
diff --git a/modules/machine-config-operator.adoc b/modules/machine-config-operator.adoc
@@ -18,6 +18,12 @@ There are four components:
 * `machine-config-daemon`: Applies new machine configuration during update. Validates and verifies the state of the machine to the requested machine configuration.
 * `machine-config`: Provides a complete source of machine configuration at installation, first start up, and updates for a machine.
 
+include::snippets/mcs-endpoint-limitation.adoc[]
+
+.Additional resources
+
+* xref:../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN network plugin].
+
 [discrete]
 == Project
 
diff --git a/security/certificate_types_descriptions/machine-config-operator-certificates.adoc b/security/certificate_types_descriptions/machine-config-operator-certificates.adoc
@@ -10,6 +10,13 @@ toc::[]
 
 Machine Config Operator certificates are used to secure connections between the Red Hat Enterprise Linux CoreOS (RHCOS) nodes and the Machine Config Server.
 
+include::snippets/mcs-endpoint-limitation.adoc[]
+
+.Additional resources
+
+* xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN network plugin].
+
+
 == Management
 
 These certificates are managed by the system and not the user.
diff --git a/snippets/mcs-endpoint-limitation.adoc b/snippets/mcs-endpoint-limitation.adoc
@@ -0,0 +1,14 @@
+// Text snippet included in the following modules:
+//
+// * modules/installation-about-custom-azure-vnet.adoc
+// * modules/machine-config-operator.adoc
+// * security/certificate_types_descriptions/machine-config-operator-certificates.adoc
+
+:_content-type: SNIPPET
+
+[IMPORTANT]
+====
+Currently, there is no supported way to block or restrict the machine config server endpoint. The machine config server must be exposed to the network so that newly-provisioned machines, which have no existing configuration or state, are able to fetch their configuration. In this model, the root of trust is the certificate signing requests (CSR) endpoint, which is where the kubelet sends its certificate signing request for approval to join the cluster. Because of this, machine configs should not be used to distribute sensitive information, such as secrets and certificates.
+
+To ensure that the machine config server endpoints, ports 22623 and 22624, are secured in bare metal scenarios, customers must configure proper network policies.
+====
