Bug 1908316 - kube-rbac-proxy exposes tokens, has excessive verbosity
Summary: kube-rbac-proxy exposes tokens, has excessive verbosity
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.7
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.6.z
Assignee: Joel Speed
QA Contact: Milind Yadav
URL:
Whiteboard:
Depends On: 1907380
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-16 12:02 UTC by OpenShift BugZilla Robot
Modified: 2021-02-01 15:24 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The log level for the kube-rbac-proxy was set to level 10 Consequence: Logs messages contained excessive detail about the operations of the kube-rbac-proxy. Much more than needed in most scenarios Fix: Reduce the log level to 3 to match other components Result: Log messages have been reduced and are much more appropriate
Clone Of:
Environment:
Last Closed: 2021-02-01 15:24:32 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-autoscaler-operator pull 191 0 None closed Bug 1908316: Reduce verbosity of kube-rbac-proxy logging 2021-01-26 09:44:42 UTC
Github openshift cluster-machine-approver pull 99 0 None closed Bug 1908316: Reduce verbosity of kube-rbac-proxy logging 2021-01-26 09:44:43 UTC
Github openshift machine-api-operator pull 779 0 None closed Bug 1908316: Reduce verbosity of kube-rbac-proxy logging 2021-01-26 09:44:42 UTC
Github openshift machine-api-operator pull 784 0 None closed Bug 1908316: Reduce verbosity of kube-rbac-proxy logging for operator 2021-01-26 09:44:42 UTC
Red Hat Product Errata RHBA-2021:0235 0 None None None 2021-02-01 15:24:55 UTC

Description OpenShift BugZilla Robot 2020-12-16 12:02:58 UTC
+++ This bug was initially created as a clone of Bug #1907380 +++

Description of problem:
kube-rbac-proxy container in various components of `openshift-machine-api` has excessive verbosity:
* unnecessarily logs too many lines which decreases disk performance
* logs bearer tokens, which is insecure

This seems to happen for all providers - noticed in AWS and vSphere tests at least

--- Additional comment from vrutkovs on 2020-12-14 11:42:57 UTC ---

Same for pods in `openshift-cluster-machine-approver` namespace

Comment 1 Milind Yadav 2021-01-22 07:19:34 UTC
This bug's PR is dev-approved and not yet merged, so I'm following DPTP-660 to do pre-merge verification by using cluster-bot to launch a cluster with the open PR.

VALIDATED 

[miyadav@miyadav ~]$ oc logs -f machine-approver-7f749dcd59-pg2fp
error: a container name must be specified for pod machine-approver-7f749dcd59-pg2fp, choose one of: [kube-rbac-proxy machine-approver-controller]
[miyadav@miyadav ~]$ oc logs -f machine-approver-7f749dcd59-pg2fp -c kube-rbac-proxy
I0122 06:28:21.035801       1 main.go:157] Reading config file: /etc/kube-rbac-proxy/config-file.yaml
I0122 06:28:21.037946       1 main.go:188] Valid token audiences: 
I0122 06:28:21.038078       1 main.go:261] Reading certificate files
I0122 06:28:21.038444       1 main.go:294] Starting TCP socket on 0.0.0.0:9192
I0122 06:28:21.038969       1 main.go:301] Listening securely on 0.0.0.0:9192
.
.

[miyadav@miyadav ~]$ oc logs -f machine-api-controllers-cbd448b48-fdn4p -c kube-rbac-proxy-machineset-mtrc
I0122 06:28:56.402920       1 main.go:157] Reading config file: /etc/kube-rbac-proxy/config-file.yaml
I0122 06:28:56.407824       1 main.go:188] Valid token audiences: 
I0122 06:28:56.407984       1 main.go:261] Reading certificate files
I0122 06:28:56.408461       1 main.go:294] Starting TCP socket on 0.0.0.0:8442
I0122 06:28:56.411335       1 main.go:301] Listening securely on 0.0.0.0:8442
.
.
[miyadav@miyadav ~]$ oc logs -f machine-api-controllers-cbd448b48-fdn4p -c kube-rbac-proxy-machine-mtrc
I0122 06:28:56.757119       1 main.go:157] Reading config file: /etc/kube-rbac-proxy/config-file.yaml
I0122 06:28:56.759119       1 main.go:188] Valid token audiences: 
I0122 06:28:56.759275       1 main.go:261] Reading certificate files
I0122 06:28:56.759596       1 main.go:294] Starting TCP socket on 0.0.0.0:8441
I0122 06:28:56.760096       1 main.go:301] Listening securely on 0.0.0.0:8441
.
.
.
[miyadav@miyadav ~]$ oc logs -f cluster-autoscaler-operator-5bcc7fdcf-2nqfc -c kube-rbac-proxy
I0122 06:28:21.499005       1 main.go:157] Reading config file: /etc/kube-rbac-proxy/config-file.yaml
I0122 06:28:21.501197       1 main.go:188] Valid token audiences: 
I0122 06:28:21.501329       1 main.go:261] Reading certificate files
I0122 06:28:21.501663       1 main.go:294] Starting TCP socket on 0.0.0.0:9192
I0122 06:28:21.502443       1 main.go:301] Listening securely on 0.0.0.0:9192

Was created using clusterbot for open PR - Cluster version is 4.6.0-0.ci.test-2021-01-22-061115-ci-ln-c7wmwhk ,  After the PR gets merged, the bug will be moved to VERIFIED by the bot automatically, if not working, I will move to VERIFIED manually.

Comment 5 errata-xmlrpc 2021-02-01 15:24:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.15 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0235


Note You need to log in before you can comment on or make changes to this bug.