Bug 1669019 - Check for file paths outside of /etc/origin/master in master's config fails on auditConfig.policyConfiguratio
Summary: Check for file paths outside of /etc/origin/master in master's config fails o...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: 3.11.z
Assignee: Vadim Rutkovsky
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-24 07:00 UTC by Jatan Malde
Modified: 2019-02-20 14:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-20 14:11:02 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0326 None None None 2019-02-20 14:11:07 UTC

Description Jatan Malde 2019-01-24 07:00:18 UTC
Description of problem:

https://github.com/openshift/openshift-ansible/issues/11004
https://github.com/openshift/openshift-ansible/pull/11015

The openshift_control_plane "Check for file paths outside of /etc/origin/master in master's config" fails on auditConfig policyConfiguration that includes nonResourceURLs specifications by interpreting these as file paths.


Request to include the above fix #11015 

Version-Release number of the following components:
rpm -q openshift-ansible
rpm -q ansible
ansible --version

How reproducible:


  1.Start with a master with /etc/origin/master/master-config.yaml containing:

auditConfig:
  auditFilePath: /var/log/origin/audit.log
  enabled: true
  logFormat: json
  policyConfiguration:
    apiVersion: audit.k8s.io/v1beta1
    omitStages:
    - RequestReceived
    rules:
    - level: Metadata
      nonResourceURLs:
      - /login*
      - /oauth*

  2.Run openshift-ansible deploy


Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 1 Vadim Rutkovsky 2019-01-29 10:44:28 UTC
Fix is available in openshift-ansible-3.11.73-1

Comment 2 Gaoyun Pei 2019-01-30 05:23:22 UTC
Could reproduce this bug with openshift-ansible-3.11.59-1

When master has such auditConfig field configured in master-config.yaml

auditConfig:
  auditFilePath: /var/log/origin/audit.log
  enabled: true
  logFormat: json
  policyConfiguration:
    apiVersion: audit.k8s.io/v1beta1
    omitStages:
    - RequestReceived
    rules:
    - level: Metadata
      nonResourceURLs:
      - /login*
      - /oauth*

Run openshift-ansible/playbooks/byo/openshift_facts.yml playbook, it would fail as below.

TASK [openshift_control_plane : Check for file paths outside of /etc/origin/master in master's config] **********************************************************************
fatal: [ec2-3-81-139-156.compute-1.amazonaws.com]: FAILED! => {"msg": "A string value that appears to be a file path located outside of\n/dev/null, /etc/origin/master/, /var/lib/origin, /etc/origin/cloudprovider, /etc/origin/kubelet-plugins, /usr/libexec/kubernetes/kubelet-plugins, /var/log/origin has been found in /etc/origin/master/master-config.yaml.\nIn 3.10 and newer, all files needed by the master must reside inside of\nthose directories or a subdirectory or it will not be readable by the\nmaster process. Please migrate all files needed by the master into\none of /dev/null, /etc/origin/master/, /var/lib/origin, /etc/origin/cloudprovider, /etc/origin/kubelet-plugins, /usr/libexec/kubernetes/kubelet-plugins, /var/log/origin or a subdirectory and update your master configs before\nproceeding. The string found was: /login*\n***********************\nNOTE: the following items do not need to be migrated, they will be migrated\nfor you: oauthConfig.identityProviders"}


Tried again with openshift-ansible-3.11.75-1.git.0.95e8e2a.el7.noarch, this step could pass.
TASK [openshift_control_plane : Check for file paths outside of /etc/origin/master in master's config] **********************************************************************
ok: [ec2-3-81-139-156.compute-1.amazonaws.com] => {"changed": false, "msg": "Aight, configs looking good"}

Comment 4 errata-xmlrpc 2019-02-20 14:11:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0326


Note You need to log in before you can comment on or make changes to this bug.