Uploaded image for project: 'Web Terminal for OpenShift'
  1. Web Terminal for OpenShift
  2. WTO-151

Web Terminal Operator leaking user token into Audit logs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.7.0
    • 1.5.0, 1.6.0
    • machine-exec, operator
    • None
    • False
    • None
    • False

      On an OpenShift 4.10.13 platform-agnostic installation, we tried recently to install the Web Terminal Operator.

      We noticed that the token of the user which is opening an instance of the Operator is exposed in the audit logs.

      Below an example:

      /api/v1/namespaces/openshift-terminal/pods/workspace16ca99719d3e4452-6f64f5b756-6rv8n/exec?command=sh&command=c&command=echo+%22apiVersion%3A+v1%0Aclusters%3A%0Acluster%3A%0A++certificate-authority%3A%2Fvar%2Frun%2Fsecrets%

      2Fkubernetes.io

      %2Fserviceaccount%2Fca.crt%0A+++server%3A+https%3A%2F%2F172.21.0.1%3A443%0Aname%3A+https%3A%2F%2F172.21.0.1%3A443%0Ausers%3A%0A-+name%3A+a_tx94r%0Auser%3A%0A++token%3A+sha256~XXXX%3A%0A-+context%3A%0A++cluster%3A+https%3A%2F%2F172.21.0.1%3A443%0A++namespace%3A+openshift-terminal%0A++user%3A+a_tx94r%0Aname%3A+a_tx94r-context%0Acurrent-context%3A+a_tx94r-context%0Akind%3A+Config%0A%22%3E+%2Fhome%2Fuser%2F.kube%2Fconfig&container=web-terminal-tooling&stderr=true&stdout=true

      --> token%3A+sha256~XXXX%3A%0A (manually masked)

              amisevsk Angel Misevski (Inactive)
              rhn-support-rbobek Roman Bobek
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: