Bug 1416468 - [RFE] The keys used in the cluster should all be private
Summary: [RFE] The keys used in the cluster should all be private
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Michal Fojtik
QA Contact: Xiaoli Tian
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-25 15:09 UTC by Eric Jones
Modified: 2020-04-15 15:09 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-03-12 13:54:36 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Eric Jones 2017-01-25 15:09:05 UTC
- What is the nature and description of the request? 
As an admin I require the ability to have my keys for my environment be private.

- Why does the customer need this? (List the business requirements here) 
Security reasons require private keys for the environment.

- Is there already an existing RFE upstream or in Red Hat Bugzilla?
Not that I could find

Additional Information:

The private keys need to be protected, but in a way that maintains OpenShift's ability to bootstrap)

The following files are unencrypted private keys I was able to find:

# grep -lr PRIVATE /etc/origin/

Also, there is the private key for the master, base64 encoded in all kubconfig files.

The key is for the master and is found in:

Effected kubconfig files are:

/etc/origin/generated-configs/node-<router FQDN>/system:node:<router FQDN>.kubeconfig

Command to find the private keys in kubeconfig files:

# for i in $(find /etc/origin -iname *kubeconfig); do echo "File Name: "$i; grep data: $i | tr -s " "  | while read a; do name=$(echo $a | cut -d " "  -f 1) ; key=$(echo $a | cut -d " "  -f 2| base64 -d); if [ -n "$key" -a PRIVATE = "$(echo $key | grep -o PRIVATE | head -1)" ]; then echo -e "$name" ; echo "$key" ; /bin/echo -e "\n" ;fi ;  done; done

Comment 10 Eric Rich 2018-03-12 13:54:36 UTC
This bug has been identified as a dated (created more than 3 months ago) bug. 
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, 
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. 

As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, 
as it is currently not part of the products immediate priorities.

Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.

Note You need to log in before you can comment on or make changes to this bug.