Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-52466

OpenShift Audit log showing sensitive data of machine config

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • No
    • Done
    • Bug Fix
    • Hide
      * This change prevents the `MachineConfig` object contents from being written into the audit logs, even when `WriteRequestBodies` is configured as an audit log profile. This prevents sensitive information such as pull secrets from being contained in the audit log. (link:https://issues.redhat.com/browse/OCPBUGS-52466[OCPBUGS-52466])
      Show
      * This change prevents the `MachineConfig` object contents from being written into the audit logs, even when `WriteRequestBodies` is configured as an audit log profile. This prevents sensitive information such as pull secrets from being contained in the audit log. (link: https://issues.redhat.com/browse/OCPBUGS-52466 [ OCPBUGS-52466 ])
    • None
    • None
    • None
    • None

      Description of problem:

          The audit logs after enabling WriteRequestBodies contains cluster's pull secret including private registry credentials which are usernames and passwords. These are stored in the MachineConfig object for use in the file  /var/lib/kubelet/config.json and are visible in the audit log.

{
    "kind": "Event",
    "apiVersion": "audit.k8s.io/v1",
    "level": "RequestResponse",
    "auditID": "b63bcc59-f125-49a2-a024-3be9f9515203",
    "stage": "ResponseComplete",
    "requestURI": "/apis/machineconfiguration.openshift.io/v1/machineconfigs/00-master",
    "verb": "update",
    "user": {
        "username": "system:serviceaccount:openshift-machine-config-operator:machine-config-controller",
        "uid": "190b0f52-7bf3-43fe-8f65-c367139c765f",
        "groups": [
            "system:serviceaccounts",
            "system:serviceaccounts:openshift-machine-config-operator",
            "system:authenticated"
        ],
        "extra": {
            "authentication.kubernetes.io/pod-name": [
                "machine-config-controller-9cf77dd4d-trd6m"
            ],
            "authentication.kubernetes.io/pod-uid": [
                "774a8c23-b35e-4446-8223-1aaba2686ed1"
            ]
        }
    },
    "sourceIPs": [
        "10.136.160.182"
    ],
    "userAgent": "machine-config-controller/v0.0.0 (linux/amd64) kubernetes/$Format/template-controller",
    "objectRef": {
        "resource": "machineconfigs",
        "name": "00-master",
        "uid": "0788315a-1bba-485d-95f7-48007a2385e9",
        "apiGroup": "machineconfiguration.openshift.io",
        "apiVersion": "v1",
        "resourceVersion": "758466715"
    },
    "responseStatus": {
        "metadata": {},
        "code": 200
    },
    "requestObject": {
        "apiVersion": "machineconfiguration.openshift.io/v1",
        "kind": "MachineConfig",
        "metadata": {
            "annotations": {
                "machineconfiguration.openshift.io/generated-by-controller-version": "05dd21653075fa389e62d64eba191a502c4ffd66"
            },
            "creationTimestamp": "2021-06-23T15:56:02Z",
            "generation": 19,
            "labels": {
                "machineconfiguration.openshift.io/role": "master"
            },
            "name": "00-master",
            "ownerReferences": [
                {
                    "apiVersion": "machineconfiguration.openshift.io/v1",
                    "blockOwnerDeletion": true,
                    "controller": true,
                    "kind": "ControllerConfig",
                    "name": "machine-config-controller",
                    "uid": "248ad3e4-33bc-4f26-8ea6-2d3c8f44a2be"
                }
            ],
            "resourceVersion": "758466715",
            "uid": "0788315a-1bba-485d-95f7-48007a2385e9"
        },

For more logs refer the link 
https://attachments.access.redhat.com/hydra/rest/cases/03664669/attachments/6c04683d-f1d1-4152-b8e2-921aef44591b

      Version-Release number of selected component (if applicable):

      How reproducible:

       100%

      Steps to Reproduce:

      1. Enable WriteRequestBodies in apiserver
2. Update any file that will rollout mcp
3. Check the audit logs you will be able to see file data in kube-apiserver/audit.log    
4. Here pull secret and other credentials also stored in that way and reflected as well in audit log.

      Actual results:

      secrets and credentials [MachineConfig data] are getting logged in audit logs

      Expected results:

      secrets and credentials [MachineConfig data] should not get logged in audit logs

      Additional info:

              rh-ee-irinis Ilias Rinis
              rhn-support-ppradhan Pramod Pradhan (Inactive)
              None
              None
              Ke Wang Ke Wang
              None
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: