Loading...

Type: Story
Resolution: Unresolved
Priority: Minor
Fix Version/s: None
Affects Version/s: None
Component/s: must-gather-clean
Labels:
- groomed
- stale

Story Points:
2
Blocked:
False
Ready:
False
Epic Link:
must-gather-obfuscation-part2
Release Note Text:
undefined
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

After CFE-81, we are able to detect multi-line certificates for example in configmaps and secrets. They need to be obfuscated:

    requestheader-client-ca-file: |
      -----BEGIN CERTIFICATE-----
      MIIDJDCCAgygAwIBAgIIdhzKeBBDnCgwDQYJKoZIhvcNAQELBQAwMDESMBAGA1UE
      CxMJb3BlbnNoaWZ0MRowGAYDVQQDExFhZ2dyZWdhdG9yLXNpZ25lcjAeFw0yMTA4
      MDMwOTA3MTdaFw0yMTA4MDQwOTA3MTdaMDAxEjAQBgNVBAsTCW9wZW5zaGlmdDEa
      MBgGA1UEAxMRYWdncmVnYXRvci1zaWduZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
      DwAwggEKAoIBAQC3r8YhcQ20LaeNi6BgpaHXOtiVhLmqaquIubP1K3rp0mqtPNGp
      SLkC8asbnxC6dvz43hhTPMxuo7J0uc585RW+CUYSlFqAQKdD5bFMhYgAsIvWMwIu
      38KU9+TM6cvDVGXcTBQY4wtCbABNSF+3BLvJdIZdH9M6zeswD2QWaoM9oIdunwSC
      irN3onU8vCbL7pkEajZA8M0LuzBJVAKT2i5Y6LqKP3ImwFPf0A3EmX/VjpskVjal
      NTjtKch/i8rXa27nIkDHsucQGv/qwIHskQYu1WpvfsZn7RS0uz8gDrg2XFCzm7D2
      LQybSMBgsCQfUoLnnk9pEWxLJCW28HIMj04HAgMBAAGjQjBAMA4GA1UdDwEB/wQE
      AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSmz0oom/IhzYnM0pvc3NyE
      ejvmMDANBgkqhkiG9w0BAQsFAAOCAQEACxoUjjOzwUVB2OuPSCBlSTYc0WS40nyM
      osu0Wv3uo3ue23XuovB9pUhTGw+Mh0GxzzlTvSCO+rPvaIyXjB3/wnOdkyldtNHu
      57iNeU5i4MJrltLXHb8Tl5yPN3bHDK7c8ARR5hQIMZZDkeScZqAv88cp9gQpA5oa
      JhsP/s4JbwCWiDu6zY5h7s76N37zbvYwBxMpJ62sMj8SnAF9fbVUNfcPTqzcdSi6
      VDcgusj1jC7fEv9/mCDFS2frHRD6/U5uWakuthoDMrnhlcC52n/J2uFxLFF1MSMz
      kSkcrM/mthUdN7gtEFHExHopmb6RagO05i/IBEBPCbXUs2ETekOi3g==
      -----END CERTIFICATE-----

there are also harder to detect cabundles:

apiVersion: admissionregistration.obfuscated0038.ext/v1
kind: MutatingWebhookConfiguration
metadata:
  annotations:
    service.beta.obfuscated0037.ext/inject-cabundle: "true"
  creationTimestamp: "2021-08-03T09:19:30Z"
  generation: 2
  name: machine-api
  resourceVersion: "5946"
  uid: 948036d9-cd95-41f3-953f-16d9baecad6f
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lJVGl1REdUdXRlV2d3RFFZSktvWklodmNOQVFFTEJRQXdOakUwTURJR0ExVUUKQXd3cmIzQmxibk5vYVdaMExYTmxjblpwWTJVdGMyVnlkbWx1WnkxemFXZHVaWEpBTVRZeU56azRNak16T1RBZQpGdzB5TVRBNE1ETXdPVEU0TlRsYUZ3MHlNekV3TURJd09URTVNREJhTURZeE5EQXlCZ05WQkFNTUsyOXdaVzV6CmFHbG1kQzF6WlhKMmFXTmxMWE5sY25acGJtY3RjMmxuYm1WeVFERTJNamM1T0RJek16a3dnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ2dUTWU2M054ekZ3TUdkNU12K2VpRDgxUjI4OHBkOXZPdQpWOGhNU3ZmTGFHT1FnZzc0ckZkamx4bmlTRDNjWUNuWXZmRDRaVXo4UEwrcTF0dUhUZ0Q5TXZ4MEkwcDdBWkRmCnYxRTNSZHM3eXVLN3Q4Mm1tVUFJU1NLU29ham01WnJMMGZPSzlIUU5LOC9hb2VHNU0xaDlrREtpTlFKdHliSFEKVjdhWk41T1N2cmNoZnhLcVJVVktQcVh5ZjhBQTd0NGZsM1NGNTJQcEM1Vnh4Q3IxUDRnbCt3dWNtdFRwMEZSdgpqUDlUSm1KUTNaZFJnZVQ3Znc1T0FhQmpxZ3UxRXJYNzBhTWVQVjdLZmdCdlc4QmltN1h6VzdVdXloMFB6RXRxCllpNmNLQzVoK012VUM4WDlaZzc1Q004U1FnLzJlRmI2cnNkNndsN1lVWE9BYi8vR3NGdFBBZ01CQUFHall6QmgKTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlN3cnFVNgpoZDZSTFE2NDdyM1E4Wk1JZlFib0ZEQWZCZ05WSFNNRUdEQVdnQlN3cnFVNmhkNlJMUTY0N3IzUThaTUlmUWJvCkZEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFCTDAyejZmdHZDcEFDTmdUYStqZnMvV1BPOWIwZ2Q3WFN5RisKcG4yajFBYk9CR01leDI3MmFManMzdCtmcU9tK1k4bmZOcFg1S1NkUFJpUWlDWkZ5a1pzbFhiVUJ5NHZML0JjSQpGK3MxT3haSmRjUE85dnhEMGRwWFlyMEhpOEhCQ2xOVFJzK1VsWUFYeTk0U2h5eXY3cW5ERzJndlN5eXhXR1BkClZMZEdKdldwZGk3TzBlMTVYdnF6T0dCM2pLRWxZMW1YVkJscVFabmdPWVZ6a0RJK0w4TDVUaFBBeHFiT2QrZnMKZ2x3WklqV05Ma0RrUHU3VXhVY25pYTdkRFpYZlNSU2JrbmJNOUJOVXJTdUxjMVFjc0JwSUJ4SThpUi9tc1lZaQpSMktHTzBoWVgwR09nQ04zUjZoaGFONEJJaEtPSjFSd3gxTzhVT2dOSUpRd0tSaUtNdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    service:
      name: machine-api-operator-webhook
      namespace: openshift-machine-api
      path: /mutate-machine-openshift-io-v1beta1-machine
      port: 443
  failurePolicy: Ignore
  matchPolicy: Equivalent
  name: default.machine.machine.obfuscated0037.ext
  namespaceSelector: {}
  objectSelector: {}
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - machine.obfuscated0037.ext
    apiVersions:
    - v1beta1
    operations:
    - CREATE
    resources:
    - machines
    scope: '*'
  sideEffects: None
  timeoutSeconds: 10

and CSRs

---
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  creationTimestamp: "2021-08-03T09:25:24Z"
  generateName: csr-
  name: csr-phwh8
  resourceVersion: "17029"
  uid: a448e758-1ba2-4c5c-9832-c1a949cd6949
spec:
  groups:
  - system:serviceaccounts
  - system:serviceaccounts:openshift-machine-config-operator
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkJqQ0JyQUlCQURCS01SVXdFd1lEVlFRS0V3eHplWE4wWlcwNmJtOWtaWE14TVRBdkJnTlZCQU1US0hONQpjM1JsYlRwdWIyUmxPbWx3TFRFd0xUQXRNalUwTFRJd05DNWxZekl1YVc1MFpYSnVZV3d3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTSE9PMWlIOE1XOEZ0MVB0QmMwRkFVOEt6ai9uZFUvZWVEK2U3eTA2V3oKaVRaT2NaRVJ1cGoyZHArSDZqdy9xK1hrVDIwQXVuOVQzNmhjajZsQ1VMSlBvQUF3Q2dZSUtvWkl6ajBFQXdJRApTUUF3UmdJaEFNbEFQYnZrMHNTSGliOS9FVCtQdFJXTm9vZE9zWHJRNnF6NkhHRVVLL0FaQWlFQTFlOHQ5dFMrCktRWjB4WjVqVjBGYllPRGdObDQ1bGRMdENpWW1uaHlRdnBBPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
  signerName: kubernetes.io/kube-apiserver-client-kubelet
  uid: 5a2ea421-7cdb-4fea-81c0-c2f6ec59676e
  usages:
  - digital signature
  - key encipherment
  - client auth
  username: system:serviceaccount:openshift-machine-config-operator:node-bootstrapper
status:
  certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNoVENDQVcyZ0F3SUJBZ0lRYUtra0V1VEJXQkhtQlU0M09iWU9jVEFOQmdrcWhraUc5dzBCQVFzRkFEQW0KTVNRd0lnWURWUVFEREJ0cmRXSmxMV056Y2kxemFXZHVaWEpmUURFMk1qYzVPREl6TXpjd0hoY05NakV3T0RBegpNRGt5TURJMVdoY05NakV3T0RBME1Ea3dOekU1V2pCS01SVXdFd1lEVlFRS0V3eHplWE4wWlcwNmJtOWtaWE14Ck1UQXZCZ05WQkFNVEtITjVjM1JsYlRwdWIyUmxPbWx3TFRFd0xUQXRNalUwTFRJd05DNWxZekl1YVc1MFpYSnUKWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTSE9PMWlIOE1XOEZ0MVB0QmMwRkFVOEt6agovbmRVL2VlRCtlN3kwNld6aVRaT2NaRVJ1cGoyZHArSDZqdy9xK1hrVDIwQXVuOVQzNmhjajZsQ1VMSlBvMVl3ClZEQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC8KQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlROTzlXQ01kUng3bU1iME13eUNRRi81dmZKUHpBTkJna3Foa2lHOXcwQgpBUXNGQUFPQ0FRRUFiZElhUEdNc0NmMnRIZzVzMFlOVkVkd3QzRTlIYkxuTWJUdnV3K0toVEs5L2JVUWMvd3RYClVsVlZqNUc0QzFNY3NYd2xNcGc0QUtwTCs5QjY0NkI5VXFKVlg5SUVqTFp0dGU2aHhUdUlraE5BeitXUWkzN2MKd0VDTmM3eUV6cWdKY3FLa1lzcHFLbG1Gbk9aOGt6WWFpdlBXZ1lVSGdFV3pEa0I2VEhETUhabEgzd2p0dXNOdwpqU21CWnByRngrcEhOa25kaG51RnZleUNKVFVqaTZ1cG5HS0JLL200cU92UzAxNzE1T0lRTEVqNGpMdXlZWVp0Cm9BN085c2xWUHVPRVFodG9vRzU2UWh6eVRTRWZpRWRQTzV2R00vN1NQM1FKMVI2SXhCQlJBZWJYUDcvS0dxMjAKTmRxaHF2NUUwMHJIbDdPQVZqbTFwc3FrWWRsSG1RZktEZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  conditions:
  - lastTransitionTime: "2021-08-03T09:25:25Z"
    lastUpdateTime: "2021-08-03T09:25:24Z"
    message: This CSR was approved by the Node CSR Approver
    reason: NodeCSRApprove
    status: "True"
    type: Approved

The obfuscation can be simply omitting the base64 hash in the middle.

AC:

new type for obfuscation based on CFE-81 work
detector and obfuscator for certificate data, including multiple certificates in cert chains
unit testing

is blocked by

CFE-81 Kubernetes Resource Value Obfuscation

To Do

is cloned by

CFE-125 MCO URL encoded config

To Do

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates