-
Story
-
Resolution: Unresolved
-
Minor
-
None
-
None
After CFE-81 we understand the k8s schema better, so we can detect and obfuscate things like ssh keys in machine configs:
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
creationTimestamp: "2021-08-10T11:19:21Z"
generation: 1
labels:
machineconfiguration.openshift.io/role: master
name: 99-master-ssh
resourceVersion: "1620"
uid: ff10a6b3-474e-4d69-9275-6c38ae52b59e
spec:
config:
ignition:
version: 3.2.0
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUq7W38xCZ9WGSWCvustaMGMT04tRohw6AKGzI7P7xql5lhCAReyt72n9qWQRZsE1YiCSQuTfXI1oc8NpSM7+lMLwj12G8z3I1YT31JHr9LLYg/XIcExkzfBI920CaS82VqmKOpI9+ARHSJBdIbKRI0f5Y+u4xbc5UzKCJX8jcKGG7nEiw8zm+cvAlfOgssMK+qJppIbVcb2iZNTsw5i2aX6FDMyC+b17DQHzBGpNbhZYxuoERZVRcnYctgIzuo6fD60gniX0fVvrchlOnubB1sRYbloP2r6UE22w/dpLKOFE5i7CA0ZzNBERZ94cIKumIH9MiJs1a6bMe89VOjjNV devenv
extensions: null
fips: false
kernelArguments: null
kernelType: ""
osImageURL: ""
those are also found rendered in configmaps:
---
apiVersion: v1
items:
- apiVersion: v1
data:
status: complete
kind: ConfigMap
metadata:
creationTimestamp: "2021-08-03T09:22:59Z"
name: bootstrap
namespace: kube-system
resourceVersion: "14507"
uid: 7a1c7c28-38f2-4854-9fb6-0bc234a8f80a
- apiVersion: v1
data:
install-config: |
apiVersion: v1
baseDomain: origin-ci-int-aws.dev.obfuscated0044.ext
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
platform:
aws:
rootVolume:
iops: 0
size: 0
type: ""
type: m4.obfuscated0492
zones:
- us-east-1b
- us-east-1c
replicas: 3
controlPlane:
architecture: amd64
hyperthreading: Enabled
name: master
platform:
aws:
rootVolume:
iops: 0
size: 0
type: ""
type: ""
zones:
- us-east-1b
- us-east-1c
replicas: 3
metadata:
creationTimestamp: null
name: ci-ln-5ylibmb-d5d6b
networking:
clusterNetwork:
- cidr: x-ipv4-000026-x/14
hostPrefix: 23
machineNetwork:
- cidr: x-ipv4-000224-x/16
networkType: OpenShiftSDN
serviceNetwork:
- x-ipv4-000027-x/16
platform:
aws:
region: us-east-1
userTags:
expirationDate: 2021-08-03T13:07+00:00
publish: External
pullSecret: ""
sshKey: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbXCby9r69mn+lGn7/mjZRkr+ShGWmVcXT4pbwA8IJBkjJg/EtXFuL1VjP5QbbWvjakQ1ZpMEYkL4V1Gm1etzkoDuMV+VhvvL8uW59XezLH1My9RQ5vtXY7GpB3t4qbTX2AQ5abAlTAoRgOxr5mKT62m3uUpU6HBWkcqwhNGRNPQOhUBybbpxMyakJ/TyS5F7GOajsCWdhx3ErldXrtUgbArPwR16Nh0lA3jO81QJnKzbkcaVlCNd8A3to0Dx1g5cel2HDK37Ri6xYZssh1qGN+fecc7Gf4lqvp1gGMtKMyZw8t54/cJrSeVhzi+mq8aeTIaOAwpoa8C4H80HE35wog1tsS0WALlPdNZ8IyPZRfhH3iG12X0WttB5x2hHngQaYzSWzs1TvEGwrci1Y8EFE1xXG6ArAPG5Iy79tmXlOZM/R/D1K6oVRrVB6T4fWKtHFHJExlRI6HWT+Qxye96RPWxEdKEhWzOLRrBiWPSXYCtT4SCbBirP4C/htnDNcMGlT/HIETVf0R+ixjnsqeYYQn15cXvWSSDQ4LTnW9vBrDLsWVFV8hJ4outZ67Ztf/tBuGKfUFzLkTCFhWJER1bbH7Zhxn5xCplI4REr2+PKnhRaPCrz6W2TRO94pACkJG3M4eP3OyCbVfC1N1c0+MPwwJ0R7TAllli94t5jQthu8xw==
AC:
- both line based and schematic obfuscation should support a new type "ssh key" that will detect and obfuscate ssh keys
- it should be enough to omit the base64 hash in the static obfuscation, alternatively the consistent replacement can give that key a name with increasing id.
- unit testing
- is blocked by
-
-
- To Do
-
- links to