Bug 1785194

Summary: Don't gather pod endpoints using tokens
Product: OpenShift Container Platform Reporter: Maciej Szulik <maszulik>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: aos-bugs, jokerman, mfojtik
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1785201 (view as bug list) Environment:
Last Closed: 2020-05-04 11:20:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1785201    

Description Maciej Szulik 2019-12-19 11:23:08 UTC 
Currently oc adm inspect will send bearer tokens when scraping data from endpoints. This might expose the tokens to potentially untrustworthy parties.
Comment 2 zhou ying 2020-01-09 09:56:02 UTC 
Confirmed with latest oc client, the issue has fixed:
[root@dhcp-140-138 ~]# rpm -q openshift-clients
openshift-clients-4.4.0-202001090623.git.1.b589d0e.el7.x86_64


When use cluster-admin, could see endpoints of healthz in the result;

When use normal-user with cluster-admin role , could not see endpoints of healthz in the result, and can find logs like: 
[zhouying@dhcp-140-138 ~]$ cat testuser-21-runtime |grep "Skipping container endpoint"
I0109 17:48:26.292427   24260 pod.go:71]         Skipping container endpoint collection for pod "kube-apiserver-operator-58fbdb9548-87mc9" container "kube-apiserver-operator": Using token authentication
I0109 17:48:55.351001   24260 pod.go:71]         Skipping container endpoint collection for pod "kube-apiserver-ip-10-0-138-150.us-east-2.compute.internal" container "kube-apiserver-5": Using token authentication
...
Comment 4 errata-xmlrpc 2020-05-04 11:20:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581