Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3290

WriteRequestBodies audit profile records routes/status events at RequestResponse level

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Undefined
    • None
    • 4.10.z
    • kube-apiserver
    • False
    • Hide

      None

      Show
      None

    Description

      This bug is a backport clone of [Bugzilla Bug 2073220](https://bugzilla.redhat.com/show_bug.cgi?id=2073220). The following is the description of the original bug:

      Description of problem:

      https://docs.openshift.com/container-platform/4.10/security/audit-log-policy-config.html#about-audit-log-profiles_audit-log-policy-config

      Version-Release number of selected component (if applicable): 4.*

      How reproducible: always

      Steps to Reproduce:
      1. Set audit profile to WriteRequestBodies
      2. Wait for api server rollout to complete
      3. tail -f /var/log/kube-apiserver/audit.log | grep routes/status

      Actual results:

      Write events to routes/status are recorded at the RequestResponse level, which often includes keys and certificates.

      Expected results:

      Events involving routes should always be recorded at the Metadata level, per the documentation at https://docs.openshift.com/container-platform/4.10/security/audit-log-policy-config.html#about-audit-log-profiles_audit-log-policy-config

      Additional info:

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-5345 WriteRequestBodies audit profile records routes/status events at RequestResponse level

          • Undefined - Priority not specified.
          • Closed
          depends on

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3293 WriteRequestBodies audit profile records routes/status events at RequestResponse level

          • Undefined - Priority not specified.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3293 WriteRequestBodies audit profile records routes/status events at RequestResponse level

          • Undefined - Priority not specified.
          • Closed
          is depended on by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-5345 WriteRequestBodies audit profile records routes/status events at RequestResponse level

          • Undefined - Priority not specified.
          • Closed
          links to

          GitHub openshift/cluster-kube-apiserver-operator#1422: OCPBUGS-3290: routes/status resources can leak sensitive data, exclude it from audit

          GitHub openshift/cluster-openshift-apiserver-operator#513: OCPBUGS-3290: routes/status resources can leak sensitive data, exclude it from audit

          GitHub openshift/library-go#1417: [release-4.11] OCPBUGS-3290: routes/status resources can leak sensitive data

          Activity

            People

              Unassigned Unassigned
              openshift-crt-jira-prow OpenShift Prow Bot
              Rahul Gangwar Rahul Gangwar
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: