1999261 – ovnkube-node log spam (and security token leak?)

Bug 1999261 - ovnkube-node log spam (and security token leak?)

Summary: ovnkube-node log spam (and security token leak?)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.10.0
Assignee:	Riccardo Ravaioli
QA Contact:	Anurag saxena
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2009857
TreeView+	depends on / blocked

Reported:	2021-08-30 18:20 UTC by Dan Winship
Modified:	2022-03-31 02:52 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-03-12 04:37:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift ovn-kubernetes pull 742	0	None	open	Bug 1999261: filter out KubeAPIAuth when logging CNI requests	2021-09-14 15:58:28 UTC
Red Hat Product Errata	RHSA-2022:0056	0	None	None	None	2022-03-12 04:38:16 UTC

Description Dan Winship 2021-08-30 18:20:51 UTC

At default log levels, ovnkube-node is logging some very verbose pod fields:

I0829 00:36:35.134556   10110 cni.go:246] [openshift-console-operator/console-operator-b7df4775c-8bnqm 8af3fb32af82ca3b9402b3dd7a1d95d2cde4a98381bb60ac1f0b1231b1586588] ADD finished CNI request [openshift-console-operator/console-operator-b7df4775c-8bnqm 8af3fb32af82ca3b9402b3dd7a1d95d2cde4a98381bb60ac1f0b1231b1586588], result "{\"Result\":{\"interfaces\":[{\"name\":\"8af3fb32af82ca3\",\"mac\":\"92:3a:c1:49:2e:7d\"},{\"name\":\"eth0\",\"mac\":\"0a:58:19:94:19:d0\",\"sandbox\":\"/var/run/netns/da9dd93d-ba48-49bd-b193-d70ae17bba48\"}],\"ips\":[{\"version\":\"6\",\"interface\":1,\"address\":\"fd01:0:0:2::24/64\",\"gateway\":\"fd01:0:0:2::1\"}],\"dns\":{}},\"PodIFInfo\":null,\"KubeAuth\":{\"kube-api-server\":\"https://api-int.ostest.test.metalkube.org:6443\",\"kube-api-token\":\"eyJhbGciOiJSUzI1NiIsImtpZCI6Im80d0l0S2NZQU96V3hHTzlHSDlUQVJWY0lpWnQwc2REcU5yazVwR3AxWGMifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTY2MTczMTI1OSwiaWF0IjoxNjMwMTk1MjU5LCJpc3MiOiJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6Im9wZW5zaGlmdC1vdm4ta3ViZXJuZXRlcyIsInBvZCI6eyJuYW1lIjoib3Zua3ViZS1ub2RlLXpqaDV6IiwidWlkIjoiZTZkNDE0ZjItYmZjYy00ZjQ3LWIyZjgtZWVkOWQ2Y2MzMGZiIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJvdm4ta3ViZXJuZXRlcy1ub2RlIiwidWlkIjoiNDdmYTljMTQtNTU2Ny00OThlLTg3YjEtN2ZkMmVmZDU4MWFkIn0sIndhcm5hZnRlciI6MTYzMDE5ODg2Nn0sIm5iZiI6MTYzMDE5NTI1OSwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Om9wZW5zaGlmdC1vdm4ta3ViZXJuZXRlczpvdm4ta3ViZXJuZXRlcy1ub2RlIn0.nDRrS1FbOI3DIvmUFQrl3IslfDx2k9LiF2TRWNMSNI9JseGAVmrlJWXQRC699sMtbfpE7zOEbV4hPldtVbUuA0UrdMxHuPdhL3bvDSenNlwjrBuBADh_bcAv42xJjBNbjGtRYbddVGs_XChgRX6tbBRVy8gAh2q3mzCuZXYCPTiexQltz8ea7VdsLh65E12oSWaR22qPQb9CEbtQj5j635j_5mxJ-Lil7HF9cUTMqG0vhd93ijid7o1w6hK1f3GT5gCBJqIURqsP8-Nx77FOMBkpvdKnp9EIYcGMNX9o6bTt68T8LGt_m0UEslsQ4LamQ7yWMJb9tyDfx86r6Z9VWRZhMAxiQ8swu5qL2FS4eUoWH8yMsvgDxxA-6PK5MvrHEPCxp2sGuANy8RRS5dRVB--ihMw5fzgUfdpH07ahtEoLyOkVE6xi0R-1bJVWuqdz1ropn50vEJ0fzjaI6Rc2gWbbvBwjUDqlNdslCIkRX7gCHCvKXcRrwDfVOYhnQLr_s0IOSPCx_fFMlBtXThJWemMzExk-XZTRPa3Bl3-DJKpuSAebmZ8em6df0bp8oIqPhWmCncFb7mjqFs-xWL9XJArqWobM59UjHR2whTuGt-EhihuG8jU_HrGowWqnxwdneEHRbxWNAT1qN5eVPQXVupUoSU9-_6P3qmESWTfsM3w\",\"kube-ca-data\":\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRRENDQWlpZ0F3SUJBZ0lJSmNPdG5IbVpUUlF3RFFZSktvWklodmNOQVFFTEJRQXdQakVTTUJBR0ExVUUKQ3hNSmIzQmxibk5vYVdaME1TZ3dKZ1lEVlFRREV4OXJkV0psTFdGd2FYTmxjblpsY2kxc2IyTmhiR2h2YzNRdApjMmxuYm1WeU1CNFhEVEl4TURneU9ESXpNemt5T1ZvWERUTXhNRGd5TmpJek16a3lPVm93UGpFU01CQUdBMVVFCkN4TUpiM0JsYm5Ob2FXWjBNU2d3SmdZRFZRUURFeDlyZFdKbExXRndhWE5sY25abGNpMXNiMk5oYkdodmMzUXQKYzJsbmJtVnlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXVyQnRkbmpZN2YveAo1OE9udGJrcG9Gd1p1bzc5d2lDOUVGS21PT0EvUW9NUGVCUjA0TVNQQ2luRDkzVDZVa3NLT2JKYm5qaUVob0w0CjgwbGUxSmZJZHk0M1kyZHovNFlzUlZJZ1l4YjVFejNrc092UzRFN3g1d0lJVVdjWTVpeU5neDhvMVNnVUwycjMKdzg0L2pPT1BJNHlpcjY4YmZlcFN6TEgvYmRaK1FGeFF4Wm5ZdzE1Sm8zME51S0ZTM3JXME1yT1lDbUdvNnJSTwp5QXRGekNUWXNjQ2ZpdHF2L1puOXBNNzJ2VE11anIwOWdoQStQYkpXUG1SeElrbUY2N2dGbjF0Q0VLVFZjK0J6Cm4zSThuVVFKVitFdVZ1aUMycVJ1M2ZBWGlIOWJXdVNIaEw3Y0RyeityTmhzeWJ0NGJqQzdHemUzN091NWVaMDYKNUNUVUMwVXRwd0lEQVFBQm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdEd1lEVlIwVEFRSC9CQVV3QXdFQgovekFkQmdOVkhRNEVGZ1FVRVZhM3ZkaVlNL05Md3NldFV4R1dqS3ZlWlpjd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBSVd2S2lSM3RmRnN4by9BaithSy9Na2tCQkZKTE5ySnpqUHFJcTNtNG9VS2JER1psTWNiVEwxZ25GWDYKeWlkbytTTlRzY09Xek80ODliMWp1Yk9kdTl5YmloWHlMUmVxY3lsd0FFM2tzRUFUbjl3MWU4NGl6a3hYd2QyNgpKRjlPU0QvK2JVYiswZ0Y2YlU5WVd3aTAxRzF6NHdpMGM1bExKNHgzU21oSGVQanV0MTBQcUxBWU5ucHpINjhwCnJLZWVBbCt6aVpTeHdmTjJXZmZ4Qll2NlB6dm8wajRGczdvUnYwaStiRUQvRlJMLzlwVHRBdTN5L0xMSmFnVDgKK1llMGIwSDJicnZ0NXcrUkZPTVdmZFJIY3VTZXRtUVBtbmNkL1BKT1c5K2cxMHVaOHFPcHdIa2pQb1Urb042MApITEJhS1BRM21sTFlsTUlERGFWbFNKQXNBTlE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURURENDQWpTZ0F3SUJBZ0lJVGkxK0dNclhBRTB3RFFZSktvWklodmNOQVFFTEJRQXdSREVTTUJBR0ExVUUKQ3hNSmIzQmxibk5vYVdaME1TNHdMQVlEVlFRREV5VnJkV0psTFdGd2FYTmxjblpsY2kxelpYSjJhV05sTFc1bApkSGR2Y21zdGMybG5ibVZ5TUI0WERUSXhNRGd5T0RJek16a3lPVm9YRFRNeE1EZ3lOakl6TXpreU9Wb3dSREVTCk1CQUdBMVVFQ3hNSmIzQmxibk5vYVdaME1TNHdMQVlEVlFRREV5VnJkV0psTFdGd2FYTmxjblpsY2kxelpYSjIKYVdObExXNWxkSGR2Y21zdGMybG5ibVZ5TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQwpBUUVBNEZia0d0SFVkS3JDVXBLd1B5S1lHd2gwWVVPUDFFMHVWVWZsTHFZL2NkVm5reEpkQ2Y0NEZoelpDdStKCkVyYXQrTVJOSXd6d1FUdzdTOTdTbTJUUUFadC9Fa0lvV2p3Q2NBMzBZZWxSMS9iSU9Fa3Y4Y1dTRGNiU085SHYKVFdHYllvNGsyYjNRMWZxNUxJYkV4TFBUMEpKd2hkNVJpa3o4eGFtS0JUdkJtU1FKY0xOYmg1YVd1TzdZMktRVApHbTdoNUh4aEhHbklOalRNREVYOHRGei9GNDVaOVhFYWR1SVFwQU5PdnVnZUh1eDFVR21nWU4zam44MGV1R2x5CjFwdTAzZUZNOU81VVh0UXQ5dHBRajdWRkVjM1UzMnhxRkNsRmtYYkE2VHhWa1Jvanc5SzJOUm1HQzRyVEhOeXoKTGJKNWhsT1VVV2FQZVpZWk5KaE92cXNKZVFJREFRQUJvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBcVF3RHdZRApWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTA3bnh1alpGVFRQUzRBd0JlZHNvRzFXVGpWNHdEUVlKCktvWklodmNOQVFFTEJRQURnZ0VCQU1kOVlWbjJFOUVGZVF4TDNTNm1iTzdLSnBSMnFkSjF3bkFlTWRqTmVDcnQKQ21xditUSXZhVk05SnRNTnFwakhPZTl6dWZnUnlDb1dmeWxPQXlyc3E5RGo0OEpiU1ZCTi8wSU1TMGEreVptTgoyZnNkL25UTzNnQTAxRnhPY1EzeEo3cmM3V2dxbVVyb2hYOWpKSU83LytiK1R5dU5iU0JXd2cwRFhBWG5mcXhRCjhJVEIzdjQrT211aGNEREx1MjlZbko4VEs0UndpUnlITjBZN2dsMUI2UmNYYy8zR2RpWGlRRkFzcFJUSXpVS0sKTkU3MmdhL3ZGN0luT2p1cWdlV1lBU2pySjIrano4ZFVnMnVVNVdBRVJWRitjL0JzR3F6d2xxNFhJNEwvMURUZgpqUnV4NnpxV1BCUEg0dHBFOHR6dXFhQm4reXJqNDlSYW1tV3U3RmFvRVg4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlETWpDQ0FocWdBd0lCQWdJSVpLOFBnZ1R4Vmlrd0RRWUpLb1pJaHZjTkFRRUxCUUF3TnpFU01CQUdBMVVFCkN4TUpiM0JsYm5Ob2FXWjBNU0V3SHdZRFZRUURFeGhyZFdKbExXRndhWE5sY25abGNpMXNZaTF6YVdkdVpYSXcKSGhjTk1qRXdPREk0TWpNek9USTVXaGNOTXpFd09ESTJNak16T1RJNVdqQTNNUkl3RUFZRFZRUUxFd2x2Y0dWdQpjMmhwWm5ReElUQWZCZ05WQkFNVEdHdDFZbVV0WVhCcGMyVnlkbVZ5TFd4aUxYTnBaMjVsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxXYVpwR3MrazBzVlBvU2JzZnlpOURNdmRYOXFhWFIKTEJmdEFBQXYvL2k1WVgxeDJCckd4V21kaFFFSG1DSUlDaDdncDl2bzFQcUNNc2w5cGc1SDRUQ3F0UVdYNG80MgpzVTZBV0UxcTJyb0FqaWg2a1Z1ZDYybE9jbVNDbythY0hpdVdxTFlZWks3VitPQjBaUGZleFNjRGJJWG1tREI5CmY3eG5maHNqTU10OWZaamNVK1lkendNWDRJTStLMUNKbHdFVmQ0RDFwaUxmOWxhemFIZG9PUWlCalFqamVaZEIKaXB4V3ZJVWJJUWdnZS96YmtUcWFRV3hrQ0xPL084cSs1Rm4yak9FZFkxVzNraUlhSmpnM1R2WGVVWTgvc3JzWQppWDdhUzB6NzliN3BBbnpkVy9pS2l0TFVaRjhCeEdFbUxvaDFMbDVPSmIvd0M2VnNvelFndllFQ0F3RUFBYU5DCk1FQXdEZ1lEVlIwUEFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZBcVMKVFJjd243bXRJRDZlS1NwRVNSdFdSYXRDTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBR2ZPK1dhZ240WEdGcwpXRjNNSzl0L0xKOE5kUzdpcWRoeVJycXU0U3R2bThJbmxDTFg0MzZETmNINTVraEtWMWdHS1FiM0sveEptdURICkF1bEV2SEJRcjRBMy9aRmYvNzM0Wm96TVZ1czNISHRUOXdFK2lLWTBvb1lCT3lhS3dtUWN1WmdwN3lPRGI1Mm8KL2FwVThBd2Z2UWl3bWQ1dTJ4MENPVkpOY0lBenc4c2QvcmpJeU1xd0gvRkRWeFRpRExIbmpDYStFMVBhTEdIRwpEVGdTRjc2eXBINlB5R29CYzZ2R2JKVjk3eksrT3IrWWUrWGdtamJQRFJ3OTE3K1o4U00vRHUzOTZNMzhPMXJtCnNvNHh5ckxick95RGZIWENBVEZoaXlVMy9mcnduMHZxM3BabG0vTloyMkV1cUNuMWlSa2g2WUlwNmVwdTVzMUkKZ1FzNGpnK3EKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\"}}", err <nil>


Given that one of those fields is "kube-api-token", we probably shouldn't be logging that anyway... (maybe just log response.Result instead of all of response)

Comment 7 errata-xmlrpc 2022-03-12 04:37:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056

Note You need to log in before you can comment on or make changes to this bug.