Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1689280 - Full master-config file contents can be leaked by master api pod logs
Summary: Full master-config file contents can be leaked by master api pod logs
Keywords:
Status: NEW
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Master
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: 3.11.z
Assignee: Michal Fojtik
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-15 15:20 UTC by Jesse Sarnovsky
Modified: 2019-03-18 14:25 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Jesse Sarnovsky 2019-03-15 15:20:04 UTC
Description of problem:

The full contents of the master config are written/visible in the master api pod logs when an error is reported which could unveil secure details (such as secret/access keys) that could be exploited by a malicious user.

Version-Release number of selected component (if applicable):

How reproducible:
Easy

Steps to Reproduce:

1. Log into one of the master nodes

2. Introduce a change to the master config that is logged as an error.  Can be produced by using an invalid path for the ca cert within an IDP or more simply, just inserting the line:

deploymentControllerResyncMinutes: 15

Which seemed to be common when I checked multiple OpenShift/Dedicated clusters.

3. Restart the master api pod on the node

# master-restart api

4. Grep the output of the pod logs for the line after the error message with:

# oc logs <master_api_pod> -n kube-system | grep JSON -A1



Actual results:

The full contents of the master config are visible in the pod logs by any user with read access.  For example:

# oc logs master-api-ip-172-31-7-229.ec2.internal -n kube-system | grep JSON -A1
E0311 18:29:31.498397       1 helpers.go:134] Encountered config error json: unknown field "deploymentControllerResyncMinutes" in object *config.MasterConfig, raw JSON:
{"admissionConfig":{"pluginConfig":{"BuildDefaults":{"configuration":{"apiVersion":"v1","env":[],"kind":"...

*** lines removed for easier readability ***

,"volumeConfig":{"dynamicProvisioningEnabled":true}}



Expected results:

The full master config contents shouldn't be included after the error message.

Additional info:


Note You need to log in before you can comment on or make changes to this bug.