Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3290

WriteRequestBodies audit profile records routes/status events at RequestResponse level

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Undefined
    • None
    • 4.10.z
    • kube-apiserver

    Description

      This bug is a backport clone of [Bugzilla Bug 2073220](https://bugzilla.redhat.com/show_bug.cgi?id=2073220). The following is the description of the original bug:

      Description of problem:

      https://docs.openshift.com/container-platform/4.10/security/audit-log-policy-config.html#about-audit-log-profiles_audit-log-policy-config

      Version-Release number of selected component (if applicable): 4.*

      How reproducible: always

      Steps to Reproduce:
      1. Set audit profile to WriteRequestBodies
      2. Wait for api server rollout to complete
      3. tail -f /var/log/kube-apiserver/audit.log | grep routes/status

      Actual results:

      Write events to routes/status are recorded at the RequestResponse level, which often includes keys and certificates.

      Expected results:

      Events involving routes should always be recorded at the Metadata level, per the documentation at https://docs.openshift.com/container-platform/4.10/security/audit-log-policy-config.html#about-audit-log-profiles_audit-log-policy-config

      Additional info:

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. OCPBUGS-5345 WriteRequestBodies audit profile records routes/status events at RequestResponse level

          • Undefined - Priority not specified.
          • Closed
          depends on

          Bug - A problem which impairs or prevents the functions of the product. OCPBUGS-3293 WriteRequestBodies audit profile records routes/status events at RequestResponse level

          • Undefined - Priority not specified.
          • Closed
          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. OCPBUGS-3293 WriteRequestBodies audit profile records routes/status events at RequestResponse level

          • Undefined - Priority not specified.
          • Closed
          is depended on by

          Bug - A problem which impairs or prevents the functions of the product. OCPBUGS-5345 WriteRequestBodies audit profile records routes/status events at RequestResponse level

          • Undefined - Priority not specified.
          • Closed
          links to

          GitHub openshift/cluster-kube-apiserver-operator#1422: OCPBUGS-3290: routes/status resources can leak sensitive data, exclude it from audit

          GitHub openshift/cluster-openshift-apiserver-operator#513: OCPBUGS-3290: routes/status resources can leak sensitive data, exclude it from audit

          GitHub openshift/library-go#1417: [release-4.11] OCPBUGS-3290: routes/status resources can leak sensitive data

          Activity

            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: OCPBUGS

              People

                Unassigned Unassigned
                openshift-crt-jira-prow OpenShift Prow Bot
                Rahul Gangwar Rahul Gangwar
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: