`oc -n kube-system get -o yaml configmap/cluster-config-v1` shows a configmap that contains a pull secret inside of it. Secrets are special-cased in multiple locations to indicate that they are escalating. ConfigMaps are not. We should not place secret information in a configmaps. Note that there is a big difference between "anyone can use this secret to pull an image" and "anyone can see the content of this secret". One allows opaque usage and eliminates unintended use attacks. The other does not.
PR https://github.com/openshift/installer/pull/1379 redacts the pull-secret in the install-config pushed to the cluster. But it looks like the monitoring might be using those contents to communicate with telemeter, looking at the failing test https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/openshift_installer/1379/pull-ci-openshift-installer-master-e2e-aws/4401#openshift-tests-featureprometheusconformance-prometheus-when-installed-on-the-cluster-should-report-telemetry-if-a-cloudopenshiftcom-token-is-present-suiteopenshiftconformanceparallelminimal ``` fail [github.com/openshift/origin/test/extended/prometheus/prometheus.go:385]: Mar 6 22:59:13.481: could not unmashal pullSecret from cluster-config-v1: invalid character 'X' looking for beginning of value ```
installer#1379 landed over a week ago.
Verified this bug with 4.0.0-0.nightly-2019-03-23-222829, and PASS. # oc -n kube-system get -o yaml configmap/cluster-config-v1|grep -i PullSecret pullSecret: ""
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758