Bug 2088033

Summary: Clear text password/secret in operator pod
Product: OpenShift Container Platform Reporter: Peter Larsen <plarsen>
Component: StorageAssignee: Michael Engel <mengel>
Storage sub component: oVirt CSI Driver QA Contact: Veronika Fuxova <vfuxova>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: mburman
Version: 4.11   
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:48:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Larsen 2022-05-18 17:21:38 UTC 
Description of problem:

The ovirt credentials are available as clear text in the csi-driver operator:

$ oc exec -it ovirt-csi-driver-operator-86db4cb597-rfgwb -- cat /tmp/config/ovirt-config.yaml
Defaulted container "ovirt-csi-driver-operator" out of: ovirt-csi-driver-operator, prepare-ovirt-config (init)
ovirt_url: https://rhvm44.example.org/ovirt-engine/api
ovirt_username: ocp
ovirt_password: CLEARTEXTPASSWORD
# set a valid path only if ca bundle has content
ovirt_cafile: /tmp/config/ovirt-engine-ca.pem
ovirt_insecure: false

Version-Release number of selected component (if applicable):

Client Version: 4.11.0-0.ci-2022-05-16-170425
Kustomize Version: v4.5.4
Kubernetes Version: v1.23.3-2049+69213f85dee380-dirt


How reproducible:
Every time. The operator deployment sets up ENV from secrets and echos the values of the ENV files into /tmp/config/ovirt-config.yaml where they stay accessible to any process/code running. 

Expected results:
Credentials/URL scrambled or not accessible to other injected processes.
Comment 2 Michael Engel 2022-08-18 08:55:44 UTC 
This issue is mitigated by specifying the mounted volume as Memory so the information is no longer stored on an underlying disk (where the credentials could still readable). This was done in https://github.com/openshift/ovirt-csi-driver-operator/pull/99
Unfortunately, we can't do much more about this issue. If someone has access to the pod or filesystem, he can also dump the RAM and get the same information. Therefore, we have to close this as a CANT FIX.
Comment 3 Veronika Fuxova 2022-08-26 11:27:50 UTC 
Verified on: 
OCP 4.12.0-0.nightly-2022-08-23-223922 
RHV 4.4 SP1 [ovirt-engine-4.5.2.1-0.1.el8ev] 

Verified that the fix's changes are reflected in the daemonset and that /tmp/config is mounted as tmpfs inside the ovirt-csi-driver-node.
Comment 6 errata-xmlrpc 2023-01-17 19:48:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399