Bug 2042038
| Summary: | audit: ManagedFields are dropped using API not annotation | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Emily Moss <emoss> |
| Component: | oauth-apiserver | Assignee: | Pierre Prinetti <pprinett> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Xingxing Xia <xxia> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.10 | CC: | akashem, aos-bugs, jmekkatt, mfojtik, slaskawi, surbania, xxia |
| Target Milestone: | --- | ||
| Target Release: | 4.11.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2041541 | Environment: | |
| Last Closed: | 2022-05-06 13:35:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
@xxia I can't seem to reproduce on 4.11 (4.11.0-0.ci-2022-04-29-080325). Would you mind to check again, so that we can close? Pierre, tested in 4.11 (4.11.0-0.nightly-2022-05-05-015322) with above steps, it works well and does not have the issue. Double tested 4.10 again (4.10.0-0.nightly-2022-05-06-010401), it still has the issue:
$ oc login -u testuser-13
Check oauth-apiserver audit logs:
$ PATTERN="managedFields"
$ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'`
$ for i in $MASTERS; do
oc debug no/$i -- chroot /host bash -c "grep -hE '$PATTERN' /var/log/oauth-apiserver/audit*.log || true"
done > audit-oauth-apiserver_4.10_test_again.log
$ cat audit-oauth-apiserver_4.10_test_again.log
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"26bf867a-60a3-4d8e-a62b-9685d0f9c4d9","stage":"ResponseComplete","requestURI":"/apis/user.openshift.io/v1/identities","verb":"create","user":{"username":"system:serviceaccount:openshift-authentication:oauth-openshift","groups":["system:serviceaccounts","system:serviceaccounts:openshift-authentication","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["oauth-openshift-b68f59c99-r8bz5"],"authentication.kubernetes.io/pod-uid":["c178e769-ad21-4066-84ab-1abbb271961b"]}},"sourceIPs":["10.0.135.123","10.129.0.1"],"userAgent":"oauth-server/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"identities","name":"flexy-htpasswd-provider:testuser-13","apiGroup":"user.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Identity","apiVersion":"user.openshift.io/v1","metadata":{"name":"flexy-htpasswd-provider:testuser-13","creationTimestamp":null},"providerName":"flexy-htpasswd-provider","providerUserName":"testuser-13","user":{"name":"testuser-13","uid":"c1046d6a-9529-486d-bc0e-f81c31c033e1"}},"responseObject":{"kind":"Identity","apiVersion":"user.openshift.io/v1","metadata":{"name":"flexy-htpasswd-provider:testuser-13","uid":"a9d37da6-2f15-4689-9441-b72781505810","resourceVersion":"58904","creationTimestamp":"2022-05-06T10:09:29Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"user.openshift.io/v1","time":"2022-05-06T10:09:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:providerName":{},"f:providerUserName":{},"f:user":{}}}]},"providerName":"flexy-htpasswd-provider","providerUserName":"testuser-13","user":{"name":"testuser-13","uid":"c1046d6a-9529-486d-bc0e-f81c31c033e1"}},"requestReceivedTimestamp":"2022-05-06T10:09:29.613246Z","stageTimestamp":"2022-05-06T10:09:29.629455Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-authentication\" of ClusterRole \"cluster-admin\" to ServiceAccount \"oauth-openshift/openshift-authentication\""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8bafc8a4-ed8a-4d1a-9cc8-32538eac126b","stage":"ResponseComplete","requestURI":"/apis/oauth.openshift.io/v1/oauthauthorizetokens","verb":"create","user":{"username":"system:serviceaccount:openshift-authentication:oauth-openshift","groups":["system:serviceaccounts","system:serviceaccounts:openshift-authentication","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["oauth-openshift-b68f59c99-r8bz5"],"authentication.kubernetes.io/pod-uid":["c178e769-ad21-4066-84ab-1abbb271961b"]}},"sourceIPs":["10.0.135.123","10.129.0.1"],"userAgent":"oauth-server/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"oauthauthorizetokens","name":"sha256~2ze0U5zocUK0v-GTUZhNNQ1a3ZAD9u5JMD4k0khAXEc","apiGroup":"oauth.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"OAuthAuthorizeToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~2ze0U5zocUK0v-GTUZhNNQ1a3ZAD9u5JMD4k0khAXEc","creationTimestamp":null},"clientName":"openshift-challenging-client","expiresIn":300,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","codeChallenge":"TAGxO_wH_v6hJWlPm2tqOQ_rX8Wu6cqZmn-qWuohz5U","codeChallengeMethod":"S256"},"responseObject":{"kind":"OAuthAuthorizeToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~2ze0U5zocUK0v-GTUZhNNQ1a3ZAD9u5JMD4k0khAXEc","uid":"6d9c36ba-2f99-4d29-a250-c0524988fc26","resourceVersion":"58905","creationTimestamp":"2022-05-06T10:09:29Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"oauth.openshift.io/v1","time":"2022-05-06T10:09:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:clientName":{},"f:codeChallenge":{},"f:codeChallengeMethod":{},"f:expiresIn":{},"f:redirectURI":{},"f:scopes":{},"f:userName":{},"f:userUID":{}}}]},"clientName":"openshift-challenging-client","expiresIn":300,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","codeChallenge":"TAGxO_wH_v6hJWlPm2tqOQ_rX8Wu6cqZmn-qWuohz5U","codeChallengeMethod":"S256"},"requestReceivedTimestamp":"2022-05-06T10:09:29.637719Z","stageTimestamp":"2022-05-06T10:09:29.648750Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-authentication\" of ClusterRole \"cluster-admin\" to ServiceAccount \"oauth-openshift/openshift-authentication\""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d1a9ed04-e9f7-4ba4-bacc-5e8be76fb2c6","stage":"ResponseComplete","requestURI":"/apis/oauth.openshift.io/v1/oauthaccesstokens","verb":"create","user":{"username":"system:serviceaccount:openshift-authentication:oauth-openshift","groups":["system:serviceaccounts","system:serviceaccounts:openshift-authentication","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["oauth-openshift-b68f59c99-r8bz5"],"authentication.kubernetes.io/pod-uid":["c178e769-ad21-4066-84ab-1abbb271961b"]}},"sourceIPs":["10.0.135.123","10.129.0.1"],"userAgent":"oauth-server/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"oauthaccesstokens","name":"sha256~bT09ntIOWXkw_AbHxukSokLsbcxW58VCAgMx1zZ6aU4","apiGroup":"oauth.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"OAuthAccessToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~bT09ntIOWXkw_AbHxukSokLsbcxW58VCAgMx1zZ6aU4","creationTimestamp":null},"clientName":"openshift-challenging-client","expiresIn":86400,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","authorizeToken":"sha256~ua32P8k-C2RMNDAj4gk-x-5slEtGJ3m9-P-qUXhKQ6Y"},"responseObject":{"kind":"OAuthAccessToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~bT09ntIOWXkw_AbHxukSokLsbcxW58VCAgMx1zZ6aU4","uid":"b65684b5-798a-4051-aa39-94dc1c3ebc89","resourceVersion":"58906","creationTimestamp":"2022-05-06T10:09:29Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"oauth.openshift.io/v1","time":"2022-05-06T10:09:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:authorizeToken":{},"f:clientName":{},"f:expiresIn":{},"f:redirectURI":{},"f:scopes":{},"f:userName":{},"f:userUID":{}}}]},"clientName":"openshift-challenging-client","expiresIn":86400,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","authorizeToken":"sha256~ua32P8k-C2RMNDAj4gk-x-5slEtGJ3m9-P-qUXhKQ6Y"},"requestReceivedTimestamp":"2022-05-06T10:09:29.685242Z","stageTimestamp":"2022-05-06T10:09:29.695344Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-authentication\" of ClusterRole \"cluster-admin\" to ServiceAccount \"oauth-openshift/openshift-authentication\""}}
...
This bug ID was used to track 4.10, it still has the bug, not sure if 4.10 needs fix.
I am going to close this report, as the issue is fixed in 4.11. As for 4.10, my understanding is that the impact is mild enough that it doesn't require a backport. Thank you! |
Test steps: 1. Make audit logs contain request/response bodies: $ oc patch apiserver/cluster --type=merge -p '{"spec": {"audit": {"profile": "AllRequestBodies"}}}' Wait for KAS/OAS/OauthAs pods to finish rotation. 2. Make requests to be audited of resources that belong to oauth-apiserver: $ oc login -u USER -p PASSWORD 3. Check oauth-apiserver audit logs: PATTERN="managedFields" MASTERS=`oc get no | grep master | grep -o '^[^ ]*'` for i in $MASTERS; do oc debug no/$i -- chroot /host bash -c "grep -hE '$PATTERN' /var/log/oauth-apiserver/audit*.log || true" done > audit-oauth-apiserver.log Ran above test steps against 4.9, audit-oauth-apiserver.logs did not drop managedFields: {"kind":"Event",...,"responseObject":{"kind":"OAuthAuthorizeToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~_...",...,"managedFields":[{"manager":"oauth-server"... This is expected, because 4.9 oauth-apiserver does not implement the dropping. However, ran above steps against latest 4.10.0-0.nightly-2022-01-26-234447, oauth-apiserver audit logs still did not drop managedFields: {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse",...,"requestURI":"/apis/user.openshift.io/v1/users/testuser-13","verb":"get","user":{"username":"system:apiserver",...,"responseObject":{"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"testuser-13",...,"managedFields":[{"manager":"oauth-server","operation":"Update",... But checked: $ oc get cm -n openshift-oauth-apiserver audit -o yaml apiVersion: v1 data: policy.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy metadata: creationTimestamp: null name: policy omitManagedFields: true ... It already defines omitManagedFields as true. This result means omitManagedFields as 'true' does not take effect in dropping "managedFields" in audit logs.