Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-61353

The cluster-config-v1 cm of an IPI Nutanix cluster contains the Nutanix password, making it visible to anyone with access.

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      The cluster-config-v1 ConfigMap of an IPI Nutanix cluster contains the Nutanix password, making it visible to anyone with access.
      
      ------------
      $ oc get cm -n kube-system cluster-config-v1 -o yaml | grep -i password -A 5 -B 5
                type: UserManaged
              prismCentral:
                endpoint:
                  address: hcinxxxp.ot.lxxxl
                  port: 9440
                password: Concxxxlusssxhorce.nl2024      <<------ Password
                username: hcinxxxp
              prismElements:
              - endpoint:
                  address: hcinxxxp.ot.lxxxl
                  port: 9440
      --------
      
      + In a vSphere IPI cluster, I verified that the password does not appear.   
      ---------
      $ oc get cm -n kube-system cluster-config-v1 -o yaml | grep -i password -A 5 -B 5
              ingressVIPs:
              - 10.44.939.45
              vcenters:
              - datacenters:
                - OpenShift-DC
                password: ""
                server: vcenter.vmware.xxxx.yyy.com
                user: ""
          publish: External
          pullSecret: ""
          sshKey: |
      --------
       

              aaggrawa Abhay Aggrawal
              rhn-support-harspati Harshada Patil
              None
              None
              Shang Gao Shang Gao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: