Bug 1879182
| Summary: | switch over to secure access-token logging by default and delete old non-sha256 tokens | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Abu Kashem <akashem> |
| Component: | openshift-apiserver | Assignee: | Standa Laznicka <slaznick> |
| Status: | CLOSED ERRATA | QA Contact: | liyao |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 4.6 | CC: | aos-bugs, mfojtik, sttts, xxia |
| Target Milestone: | --- | Flags: | mfojtik:
needinfo?
|
| Target Release: | 4.8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | LifecycleReset | ||
| Fixed In Version: | Doc Type: | Removed functionality | |
| Doc Text: |
The authentication and openshift-apiserver operators now ignore the "oauth-apiserver.openshift.io/secure-token-storage" annotation of the apiserver.config/cluster annotation when picking the audit policy. The audit policy that would have previously been picked by this annotation settings is now the default.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-27 22:32:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Abu Kashem
2020-09-15 15:52:35 UTC
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that. This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that. The LifecycleStale keyword was removed because the bug got commented on recently. The bug assignee was notified. This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that. The LifecycleStale keyword was removed because the bug got commented on recently. The bug assignee was notified. This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that. This can wait until next week for 4.9. The LifecycleStale keyword was removed because the bug moved to QE and the bug got commented on recently. The bug assignee was notified. Tested in fresh cluster 4.8.0-0.nightly-2021-06-16-190035
1. check the current audit policy of cluster
$ oc get apiserver/cluster -ojson | jq .spec.audit
{
"profile": "Default"
}
2. check audit config file currently used by openshift-oauth-apiserver
$ oauth_pod=$(oc get pods -n openshift-oauth-apiserver | grep 'apiserver' | awk 'NR==1{print $1}')
$ oc get pod -n openshift-oauth-apiserver $oauth_pod -o yaml | grep audit-policy-file
--audit-policy-file=/var/run/configmaps/audit/default.yaml \
--audit-policy-file=/var/run/configmaps/audit/default.yaml \
--audit-policy-file=/var/run/configmaps/audit/default.yaml \
it's found audit config file is switched over from previous secure-oauth-storage-default.yaml to current default.yaml
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |