Bug 2073220

Summary: WriteRequestBodies audit profile records routes/status events at RequestResponse level
Product: OpenShift Container Platform Reporter: Grant Sleeman <gsleeman>
Component: kube-apiserverAssignee: Abu Kashem <akashem>
Status: CLOSED WONTFIX QA Contact: Deepak Punia <dpunia>
Severity: high Docs Contact:
Priority: high    
Version: 4.10CC: akashem, aos-bugs, aweiteka, dpunia, etracy, gilins, mfojtik, oarribas, taxu, wlewis, xxia
Target Milestone: ---   
Target Release: 4.10.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-16 11:33:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Grant Sleeman 2022-04-07 23:09:50 UTC 
Description of problem:

https://docs.openshift.com/container-platform/4.10/security/audit-log-policy-config.html#about-audit-log-profiles_audit-log-policy-config

Version-Release number of selected component (if applicable): 4.*

How reproducible: always

Steps to Reproduce:
1. Set audit profile to WriteRequestBodies
2. Wait for api server rollout to complete
3. tail -f /var/log/kube-apiserver/audit.log | grep routes/status

Actual results:

Write events to routes/status are recorded at the RequestResponse level, which often includes keys and certificates.

Expected results:

Events involving routes should always be recorded at the Metadata level, per the documentation at https://docs.openshift.com/container-platform/4.10/security/audit-log-policy-config.html#about-audit-log-profiles_audit-log-policy-config


Additional info:
Comment 1 taxu 2022-05-30 00:56:33 UTC 
Hi Team, shall we please have a rough ETA or plans for this bug/complaince issue?
Comment 2 gilins 2022-06-06 16:15:55 UTC 
Hello team,

Could we please have an estimation of when this is going to be fixed? We have a customer thas has inquired about this.
Comment 12 Abu Kashem 2022-08-24 14:02:08 UTC 
kewang,
can you please check to see if you can repro it on 4.9.25?
Comment 13 Abu Kashem 2022-08-24 14:06:18 UTC 
gilins,

> I think Grant has been able to reproduce that on a 4.9.25 cluster.

can Grant share the actual audit event that has the cert/key (redacted)?
Comment 23 Abu Kashem 2022-11-04 19:17:20 UTC 
dpunia,
I set the target version to 4.12.0, I believe qe can start testing it now.
Comment 24 Abu Kashem 2022-11-04 19:24:20 UTC 
I fixed it, this is the 4.12.0 bug https://issues.redhat.com//browse/OCPBUGS-3293
Comment 25 Abu Kashem 2022-11-04 19:25:59 UTC 
Depends on https://issues.redhat.com/browse/OCPBUGS-3290
Comment 26 Michal Fojtik 2023-01-16 11:33:33 UTC 
Dear reporter, we greatly appreciate the bug you have reported here. Unfortunately, due to migration to a new issue-tracking system (https://issues.redhat.com/), we cannot continue triaging bugs reported in Bugzilla. Since this bug has been stale for multiple days, we, therefore, decided to close this bug.

If you think this is a mistake or this bug has a higher priority or severity as set today, please feel free to reopen this bug and tell us why. We are going to move every re-opened bug to https://issues.redhat.com. 

Thank you for your patience and understanding.