1723472 – must-gather should redact kubectl.kubernetes.io/last-applied-configuration in secrets

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 1723472 - must-gather should redact kubectl.kubernetes.io/last-applied-configuration in secrets

Summary: must-gather should redact kubectl.kubernetes.io/last-applied-configuration in...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	oc
Sub Component:
Version:	4.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.2.0
Assignee:	Luis Sanchez
QA Contact:	zhou ying
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1735363
TreeView+	depends on / blocked

Reported:	2019-06-24 15:09 UTC by Naveen Malik
Modified:	2019-10-16 06:32 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1735363 (view as bug list)
Environment:
Last Closed:	2019-10-16 06:32:20 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift must-gather pull 115	0	None	closed	Bug 1723472: must-gather should redact kubectl.kubernetes.io/last-applied-configuration in secrets	2020-02-19 21:43:23 UTC
Red Hat Product Errata	RHBA-2019:2922	0	None	None	None	2019-10-16 06:32:32 UTC

Description Naveen Malik 2019-06-24 15:09:24 UTC

Description of problem:
Some secret data is redacted but annotations are kept.  This means the encoded secret is gathered.

Version-Release number of selected component (if applicable):
oc version: v4.1.0+515979d-839-dirty
(note this is the version reported by oc binary from quay.io/openshift/origin-cli:4.2.0)

How reproducible:
Every time

Steps to Reproduce:
1. Get latest 4.2.0 cli from quay.io/openshift/origin-cli:4.2.0
2. Login to v4 cluster as kubeadmin
3. Run `oc adm must-gather`

Actual results:
Annotation "kubectl.kubernetes.io/last-applied-configuration" with passwords are not redacted.  

Expected results:
Annotation "kubectl.kubernetes.io/last-applied-configuration" with passwords are redacted along with the secret data.

Additional info:
Example of this is secret for LDAP bindPassword created in openshift-config namespace.  Both this secret and the copy of the secret in openshift-authentication have the encoded "bindPassword" value in annotation "kubectl.kubernetes.io/last-applied-configuration" in the must-gather output.

Comment 1 Luis Sanchez 2019-07-31 20:03:51 UTC

https://github.com/openshift/must-gather/pull/115

Comment 3 zhou ying 2019-08-01 07:10:55 UTC

Confirmed with image from Payload: 4.2.0-0.nightly-2019-08-01-035705, the issue has fixed:
Now all the secrets all empty like this:
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: ""

Comment 4 errata-xmlrpc 2019-10-16 06:32:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922

Note You need to log in before you can comment on or make changes to this bug.