Bug 1686119 - installer places secret information into a configmap
Summary: installer places secret information into a configmap
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.1.0
Assignee: Abhinav Dahiya
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-06 18:35 UTC by David Eads
Modified: 2019-06-04 10:45 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:45:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:45:10 UTC
Github openshift installer pull 1379 'None' 'closed' 'asset/manifests: redact the pull-secret from the cluster object of the install-config' 2019-12-03 21:00:45 UTC

Description David Eads 2019-03-06 18:35:08 UTC
`oc -n kube-system get -o yaml configmap/cluster-config-v1` shows a configmap that contains a pull secret inside of it.  Secrets are special-cased in multiple locations to indicate that they are escalating.  ConfigMaps are not. We should not place secret information in a configmaps.

Note that there is a big difference between "anyone can use this secret to pull an image" and "anyone can see the content of this secret".  One allows opaque usage and eliminates unintended use attacks.  The other does not.

Comment 1 Abhinav Dahiya 2019-03-06 23:23:56 UTC
PR https://github.com/openshift/installer/pull/1379 redacts the pull-secret in the install-config pushed to the cluster.

But it looks like the monitoring might be using those contents to communicate with telemeter, looking at the failing test https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/openshift_installer/1379/pull-ci-openshift-installer-master-e2e-aws/4401#openshift-tests-featureprometheusconformance-prometheus-when-installed-on-the-cluster-should-report-telemetry-if-a-cloudopenshiftcom-token-is-present-suiteopenshiftconformanceparallelminimal

```
fail [github.com/openshift/origin/test/extended/prometheus/prometheus.go:385]: Mar  6 22:59:13.481: could not unmashal pullSecret from cluster-config-v1: invalid character 'X' looking for beginning of value
```

Comment 3 W. Trevor King 2019-03-19 21:30:44 UTC
installer#1379 landed over a week ago.

Comment 5 Johnny Liu 2019-03-25 06:25:14 UTC
Verified this bug with 4.0.0-0.nightly-2019-03-23-222829, and PASS.

# oc -n kube-system get -o yaml configmap/cluster-config-v1|grep -i PullSecret
    pullSecret: ""

Comment 7 errata-xmlrpc 2019-06-04 10:45:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.