Bug 1416468 - [RFE] The keys used in the cluster should all be private
Summary: [RFE] The keys used in the cluster should all be private
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Michal Fojtik
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-25 15:09 UTC by Eric Jones
Modified: 2020-04-15 15:09 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-12 13:54:36 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Eric Jones 2017-01-25 15:09:05 UTC
- What is the nature and description of the request? 
As an admin I require the ability to have my keys for my environment be private.

- Why does the customer need this? (List the business requirements here) 
Security reasons require private keys for the environment.

- Is there already an existing RFE upstream or in Red Hat Bugzilla?
Not that I could find


Additional Information:

The private keys need to be protected, but in a way that maintains OpenShift's ability to bootstrap)

The following files are unencrypted private keys I was able to find:

# grep -lr PRIVATE /etc/origin/
/etc/origin/master/ca.key
/etc/origin/master/master.proxy-client.key
/etc/origin/master/master.etcd-client.key
/etc/origin/master/master.kubelet-client.key
/etc/origin/master/openshift-master.key
/etc/origin/master/master.server.key
/etc/origin/master/serviceaccounts.private.key
/etc/origin/master/admin.key
/etc/origin/master/etcd.server.key
/etc/origin/master/openshift-router.key
/etc/origin/master/openshift-registry.key
/etc/origin/generated-configs/node-<master-FQDN>/system:<master-FQDN>.key
/etc/origin/generated-configs/node-ose3-master.labs.osecloud.com/server.key
/etc/origin/generated-configs/node-<router--FQDN>/system:<router--FQDN>.key
/etc/origin/generated-configs/node-<router-FQDN>/server.key
/etc/origin/generated-configs/node-<node-FQDN>/system:<node--FQDN>.key
/etc/origin/generated-configs/node-<node--FQDN>/server.key
/etc/origin/node/system:node:<master-FQDN>.key
/etc/origin/node/server.key

Also, there is the private key for the master, base64 encoded in all kubconfig files.

The key is for the master and is found in:
/etc/origin/node/system:node:<master-FQDN>.key
/etc/origin/generated-configs/node-<master-FQDN>/system:<master-FQDN>.key

Effected kubconfig files are:

/etc/origin/master/openshift-master.kubeconfig
/etc/origin/master/admin.kubeconfig
/etc/origin/master/openshift-router.kubeconfig
/etc/origin/master/openshift-registry.kubeconfig
/etc/origin/generated-configs/node-<master-FQDN>/system:node:<master-FQDN>.kubeconfig
/etc/origin/generated-configs/node-<node-FQDN>/system:node:<node-FQDN>.kubeconfig
/etc/origin/generated-configs/node-<router FQDN>/system:node:<router FQDN>.kubeconfig
/etc/origin/node/system:node:<master-FQDN>.kubeconfig

----
Command to find the private keys in kubeconfig files:

# for i in $(find /etc/origin -iname *kubeconfig); do echo "File Name: "$i; grep data: $i | tr -s " "  | while read a; do name=$(echo $a | cut -d " "  -f 1) ; key=$(echo $a | cut -d " "  -f 2| base64 -d); if [ -n "$key" -a PRIVATE = "$(echo $key | grep -o PRIVATE | head -1)" ]; then echo -e "$name" ; echo "$key" ; /bin/echo -e "\n" ;fi ;  done; done

Comment 10 Eric Rich 2018-03-12 13:54:36 UTC
This bug has been identified as a dated (created more than 3 months ago) bug. 
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, 
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. 

As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, 
as it is currently not part of the products immediate priorities.

Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.


Note You need to log in before you can comment on or make changes to this bug.