Created attachment 1816983 [details] ocp 3.x Created attachment 1816983 [details] (private) ocp 3.x Build process in openshift 4 would print out all ENV, LABEL, image get/push details to the log. Please refer to the attached build logs[private] from Openshift 3.11 and OpenShift 4.6. There is extra info being printed in OCP 4.X version which include info likes Step 1, 2, 3, 4 Concern is particularly about STEP 6: ENV which prints out all env variables including sensitive information like secrets or certificates. Need to reduce the logs outputted. Looked into BUILD_LOGLEVEL but there wasn't an option to reduce the log details.
Confirmed that even on the latest buildah (1.22), ENV steps are printed to stdout even if buildah's log level is set to "error" or higher. Reproducer: 1. Create a simple Containerfile that has an ENV statement ``` FROM registry.redhat.io/ubi8/ubi:latest ENV SECRET_DATA="hello-world" RUN echo "Hello world!" ``` 2. Build an image with the Containerfile above, with log level set to "error" ``` $ buildah --log-level=error bud -t hello-world:latest -f Containerfile . ``` Result: Step ENV is printed.
Filed upstream issue for buildah: https://github.com/containers/buildah/issues/3473 We will then have to think carefully about how we tune buildah's log output. I believe the convention is that log level 0 is considered "info" - we don't have a means to tell OpenShift builds to only print warning/error messages.
ENV declarations are set into the resulting container image - anything sensitive will leak in the deployed application. Therefore this is not as major a security concern, since by using ENV variables the developer is accepting that those values can be distributed/leaked. For truly sensitive information, using Secrets as a build input are the best option available today [1]. Once OCP 4.9 is released, we will have a better option with build volumes [2]. To get logging back to parity with OCP 3.11, we can pass buildah the "--quiet" option, which suppresses those STEP announcements. Our convention is to increase logging when BUILD_LOGLEVEL is set to 2 or higher - we can drop the quiet option then. [1] https://docs.openshift.com/container-platform/4.8/cicd/builds/creating-build-inputs.html#builds-input-secrets-configmaps_creating-build-inputs [2] https://issues.redhat.com/browse/BUILD-257
@cdaley Customer has confirmed that they are using secrets: https://docs.openshift.com/container-platform/4.8/cicd/builds/creating-build-inputs.html#builds-input-secrets-configmaps_creating-build-inputs But not able to use "--quiet" build argument since they are using openshift s2i config: strategy: type: Source sourceStrategy: from: kind: ImageStreamTag namespace: xxxxxxx name: 's2i-xxxxxx-xxxxxxx:v1.0.0' Under this setting, the secret as well as every other openshift secret are printed. Do we have any any workaround for this?