-
Feature Request
-
Resolution: Won't Do
-
Normal
-
None
-
None
-
False
-
False
-
-
-
-
1) Proposed title of this feature request
Ability to allow GET of secrets - without revealing their contents. (eg LIST them)
2) What is the nature and description of the request?
Certain users should be able to see the names of secrets (or if they exist) - but not "reveal" them. Granting a developer LIST to secrets (not GET/PATCH/UPDATE), allows them to GET the entire secret when specifying "-o yaml"
3) Why does the customer need this? (List the business requirements here)
Allow developers to see if secrets exist / names will clash on CREATE, without giving them ability to see the contents of secrets
4) List any affected packages or components.
Openshift v3.11 -> 4.8
Customer shared the steps to reproduce the issue:
Step 1: create project pdsecrettest
Step 2: allow (cluster role) view to LocalTSG user
~~~
oc adm policy add-role-to-user view LocalTSG -n pdsecrettest --as=system:admin
clusterrole.rbac.authorization.k8s.io/view added: "LocalTSG"
~~~
Step 3: from LocalTSG User perspective
~~~
[u25356@ybsxlx43 ~]$ oc project pdsecrettest
Now using project "pdsecrettest" on server "https://api.xxxxx.xxx.com:6443".
[u25356@ybsxlx43 ~]$ oc get secrets
Error from server (Forbidden): secrets is forbidden: User "LocalTSG" cannot list resource "secrets" in API group "" in the namespace "pdsecrettest"
[u25356@ybsxlx43 ~]$ oc get secrets -o yaml
apiVersion: v1
items: []
kind: List
metadata:
resourceVersion: ""
selfLink: ""
Error from server (Forbidden): secrets is forbidden: User "LocalTSG" cannot list resource "secrets" in API group "" in the namespace "pdsecrettest"
~~~
Step 4: add list secrets as a new (project level) role
~~~
cat listsecrets.yaml
apiVersion: authorization.openshift.io/v1
kind: Role
metadata:
name: listsecrets
rules:
- apiGroups:
- ""
resources: - secrets
verbs: - list
[u25356@ybsxlx43d tmp]$ oc create -f listsecrets.yaml --as=system:admin
role.authorization.openshift.io/listsecrets created
~~~
Step 5: add to user
~~~
[u25356@ybsxlx43d tmp]$ oc adm policy add-role-to-user listsecrets --role-namespace=pdsecrettest LocalTSG -n pdsecrettest --as=system:admin
role.rbac.authorization.k8s.io/listsecrets added: "LocalTSG"
~~~
Step 6: from LocalTSG User perspective
Can list/get secrets:
~~~
[u25356@ybsxlx43 ~]$ oc get secrets
NAME TYPE DATA AGE
builder-dockercfg-nk484 kubernetes.io/dockercfg 1 4m3s
builder-token-mdhbj kubernetes.io/service-account-token 4 4m3s
builder-token-s8gtc kubernetes.io/service-account-token 4 4m3s
default-dockercfg-qbvhz kubernetes.io/dockercfg 1 4m3s
default-token-lzrkz kubernetes.io/service-account-token 4 4m3s
default-token-sr4jv kubernetes.io/service-account-token 4 4m3s
deployer-dockercfg-p9jpm kubernetes.io/dockercfg 1 4m3s
deployer-token-jvrnm kubernetes.io/service-account-token 4 4m3s
deployer-token-pt5mx kubernetes.io/service-account-token 4 4m3s
~~~
Cannot view an individual secret
~~~
[u25356@ybsxlx43 ~]$ oc get secrets builder-dockercfg-nk484
Error from server (Forbidden): secrets "builder-dockercfg-nk484" is forbidden: User "LocalTSG" cannot get resource "secrets" in API group "" in the na mespace "pdsecrettest"
~~~
However can just output to yaml all the secrets despite not having get/watch verb
~~~
[u25356@ybsxlx43 ~]$ oc get secrets -o yaml
apiVersion: v1
items:
- apiVersion: v1
data:
.dockercfg: eyIxNzIuMzAuNTMuMTQxOjUwMDAiOnsidXNlcm5hbWUiOiJzZXJ2aWNlYWNjb3VudCIsInBhc3N3b3JkIjoiZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklqbGZiRVZFTF
..and so on..
~~~
