Loading...

Type: Story
Resolution: Unresolved
Priority: Minor
Fix Version/s: None
Affects Version/s: None
Component/s: must-gather-clean
Labels:
- groomed
- stale

Story Points:
2
Blocked:
False
Ready:
False
Epic Link:
must-gather-obfuscation-part2
Release Note Text:
undefined
Market:

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

After CFE-81, we are able to clean within yaml values.

MCO seems to encode a lot of k8s resources with URL encoding and put them into rendered configs:

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    machineconfiguration.openshift.io/generated-by-controller-version: d0db13627e8b48f7021cd4a44d964c55f15b65e1
  creationTimestamp: "2021-08-10T11:22:48Z"
  generation: 1
  name: rendered-worker-a38a4fb096204f755f1deb8d584b54e1
  ownerReferences:
  - apiVersion: machineconfiguration.openshift.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: MachineConfigPool
    name: worker
    uid: b51a2373-4a11-4c24-81a7-439c799a9a82
  resourceVersion: "7011"
  uid: 192a3a71-c24e-4ee3-ab83-965386a3f947
spec:
  config:
    ignition:
      version: 3.2.0
    passwd:
      users:
      - name: core
        sshAuthorizedKeys:
        - |
          ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUq7W38xCZ9WGSWCvustaMGMT04tRohw6AKGzI7P7xql5lhCAReyt72n9qWQRZsE1YiCSQuTfXI1oc8NpSM7+lMLwj12G8z3I1YT31JHr9LLYg/XIcExkzfBI920CaS82VqmKOpI9+ARHSJBdIbKRI0f5Y+u4xbc5UzKCJX8jcKGG7nEiw8zm+cvAlfOgssMK+qJppIbVcb2iZNTsw5i2aX6FDMyC+b17DQHzBGpNbhZYxuoERZVRcnYctgIzuo6fD60gniX0fVvrchlOnubB1sRYbloP2r6UE22w/dpLKOFE5i7CA0ZzNBERZ94cIKumIH9MiJs1a6bMe89VOjjNV devenv
    storage:
      files:
      - contents:
          source: data:,kind%3A%20KubeletConfiguration%0AapiVersion%3A%20kubelet.config.k8s.io%2Fv1beta1%0Aauthentication%3A%0A%20%20x509%3A%0A%20%20%20%20clientCAFile%3A%20%2Fetc%2Fkubernetes%2Fkubelet-ca.crt%0A%20%20anonymous%3A%0A%20%20%20%20enabled%3A%20false%0AcgroupDriver%3A%20systemd%0AcgroupRoot%3A%20%2F%0AclusterDNS%3A%0A%20%20-%20172.30.0.10%0AclusterDomain%3A%20cluster.local%0AcontainerLogMaxSize%3A%2050Mi%0AmaxPods%3A%20250%0AkubeAPIQPS%3A%2050%0AkubeAPIBurst%3A%20100%0ArotateCertificates%3A%20true%0AserializeImagePulls%3A%20false%0AstaticPodPath%3A%20%2Fetc%2Fkubernetes%2Fmanifests%0AsystemCgroups%3A%20%2Fsystem.slice%0AsystemReserved%3A%0A%20%20ephemeral-storage%3A%201Gi%0AfeatureGates%3A%0A%20%20APIPriorityAndFairness%3A%20true%0A%20%20LegacyNodeRoleBehavior%3A%20false%0A%20%20NodeDisruptionExclusion%3A%20true%0A%20%20RotateKubeletServerCertificate%3A%20true%0A%20%20ServiceNodeExclusion%3A%20true%0A%20%20SupportPodPidsLimit%3A%20true%0A%20%20DownwardAPIHugePages%3A%20true%0AserverTLSBootstrap%3A%20true%0AtlsMinVersion%3A%20VersionTLS12%0AtlsCipherSuites%3A%0A%20%20-%20TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%0A%20%20-%20TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256%0A%20%20-%20TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%0A%20%20-%20TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384%0A%20%20-%20TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256%0A%20%20-%20TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256%0A
        mode: 420
        overwrite: true
        path: /etc/kubernetes/kubelet.conf

Those can also include IP addresses themselves, for example above has: `172.30.0.10`.

In the AWS must gather they can also be found in:

quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-eede85cbd33388f7e18954e5ce8ad9616e91df05ace604966c0a44111d85c897/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigs/01-master-kubelet.yaml:172.30.0.10
quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-eede85cbd33388f7e18954e5ce8ad9616e91df05ace604966c0a44111d85c897/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigs/01-worker-kubelet.yaml:172.30.0.10
quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-eede85cbd33388f7e18954e5ce8ad9616e91df05ace604966c0a44111d85c897/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigs/rendered-master-0d06a491e6bf03c9d186eb0fd4d170ab.yaml:172.30.0.10
quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-eede85cbd33388f7e18954e5ce8ad9616e91df05ace604966c0a44111d85c897/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigs/rendered-worker-99c838efd10a74f5dad4aed51982467c.yaml:172.30.0.10

AC:

new type for obfuscation based on CFE-81 work
detector and obfuscator for url encoded data in k8s yaml values (can be specific to the machineconfiguration.openshift.io/v1 MachineConfig kind).
unit testing

clones

CFE-82 Certificate Obfuscator

To Do

is blocked by

CFE-81 Kubernetes Resource Value Obfuscation

To Do

links to

openshift/must-gather-clean#58: ip regex range limit

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates