-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
4.12.z
Description of problem:
The audit logs after enabling WriteRequestBodies contains cluster's pull secret including private registry credentials which are usernames and passwords. These are stored in the MachineConfig object for use in the file /var/lib/kubelet/config.json and are visible in the audit log.
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "RequestResponse",
"auditID": "b63bcc59-f125-49a2-a024-3be9f9515203",
"stage": "ResponseComplete",
"requestURI": "/apis/machineconfiguration.openshift.io/v1/machineconfigs/00-master",
"verb": "update",
"user": {
"username": "system:serviceaccount:openshift-machine-config-operator:machine-config-controller",
"uid": "190b0f52-7bf3-43fe-8f65-c367139c765f",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:openshift-machine-config-operator",
"system:authenticated"
],
"extra": {
"authentication.kubernetes.io/pod-name": [
"machine-config-controller-9cf77dd4d-trd6m"
],
"authentication.kubernetes.io/pod-uid": [
"774a8c23-b35e-4446-8223-1aaba2686ed1"
]
}
},
"sourceIPs": [
"10.136.160.182"
],
"userAgent": "machine-config-controller/v0.0.0 (linux/amd64) kubernetes/$Format/template-controller",
"objectRef": {
"resource": "machineconfigs",
"name": "00-master",
"uid": "0788315a-1bba-485d-95f7-48007a2385e9",
"apiGroup": "machineconfiguration.openshift.io",
"apiVersion": "v1",
"resourceVersion": "758466715"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"requestObject": {
"apiVersion": "machineconfiguration.openshift.io/v1",
"kind": "MachineConfig",
"metadata": {
"annotations": {
"machineconfiguration.openshift.io/generated-by-controller-version": "05dd21653075fa389e62d64eba191a502c4ffd66"
},
"creationTimestamp": "2021-06-23T15:56:02Z",
"generation": 19,
"labels": {
"machineconfiguration.openshift.io/role": "master"
},
"name": "00-master",
"ownerReferences": [
{
"apiVersion": "machineconfiguration.openshift.io/v1",
"blockOwnerDeletion": true,
"controller": true,
"kind": "ControllerConfig",
"name": "machine-config-controller",
"uid": "248ad3e4-33bc-4f26-8ea6-2d3c8f44a2be"
}
],
"resourceVersion": "758466715",
"uid": "0788315a-1bba-485d-95f7-48007a2385e9"
},
For more logs refer the link
https://attachments.access.redhat.com/hydra/rest/cases/03664669/attachments/6c04683d-f1d1-4152-b8e2-921aef44591b
Version-Release number of selected component (if applicable):
How reproducible:
100%
Steps to Reproduce:
1. Enable WriteRequestBodies in apiserver 2. Update any file that will rollout mcp 3. Check the audit logs you will be able to see file data in kube-apiserver/audit.log 4. Here pull secret and other credentials also stored in that way and reflected as well in audit log.
Actual results:
secrets and credentials [MachineConfig data] are getting logged in audit logs
Expected results:
secrets and credentials [MachineConfig data] should not get logged in audit logs
Additional info:
- is cloned by
-
-
- Verified
-
- links to
