Bug 2042038 - audit: ManagedFields are dropped using API not annotation
Summary: audit: ManagedFields are dropped using API not annotation
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oauth-apiserver
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.11.0
Assignee: Pierre Prinetti
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-18 17:58 UTC by Emily Moss
Modified: 2022-07-14 08:20 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 2041541
Environment:
Last Closed: 2022-05-06 13:35:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-authentication-operator pull 537 0 None open bug 2042038: bump library go 2022-01-18 17:59:03 UTC

Comment 3 Xingxing Xia 2022-01-27 10:53:47 UTC
Test steps:
1. Make audit logs contain request/response bodies:
$ oc patch apiserver/cluster --type=merge -p '{"spec": {"audit": {"profile": "AllRequestBodies"}}}'
Wait for KAS/OAS/OauthAs pods to finish rotation.

2. Make requests to be audited of resources that belong to oauth-apiserver:
$ oc login -u USER -p PASSWORD

3. Check oauth-apiserver audit logs:
PATTERN="managedFields"
MASTERS=`oc get no | grep master | grep -o '^[^ ]*'`
for i in $MASTERS; do
  oc debug no/$i -- chroot /host bash -c "grep -hE '$PATTERN' /var/log/oauth-apiserver/audit*.log || true"
done > audit-oauth-apiserver.log


Ran above test steps against 4.9, audit-oauth-apiserver.logs did not drop managedFields:
{"kind":"Event",...,"responseObject":{"kind":"OAuthAuthorizeToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~_...",...,"managedFields":[{"manager":"oauth-server"...

This is expected, because 4.9 oauth-apiserver does not implement the dropping.

However, ran above steps against latest 4.10.0-0.nightly-2022-01-26-234447, oauth-apiserver audit logs still did not drop managedFields:
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse",...,"requestURI":"/apis/user.openshift.io/v1/users/testuser-13","verb":"get","user":{"username":"system:apiserver",...,"responseObject":{"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"testuser-13",...,"managedFields":[{"manager":"oauth-server","operation":"Update",...
But checked:
$ oc get cm -n openshift-oauth-apiserver audit -o yaml
apiVersion: v1
data:
  policy.yaml: |
    apiVersion: audit.k8s.io/v1
    kind: Policy
    metadata:
      creationTimestamp: null
      name: policy
    omitManagedFields: true
...

It already defines omitManagedFields as true. This result means omitManagedFields as 'true' does not take effect in dropping "managedFields" in audit logs.

Comment 6 Pierre Prinetti 2022-05-03 12:58:04 UTC
@xxia I can't seem to reproduce on 4.11 (4.11.0-0.ci-2022-04-29-080325).

Would you mind to check again, so that we can close?

Comment 7 Xingxing Xia 2022-05-06 10:34:16 UTC
Pierre, tested in 4.11 (4.11.0-0.nightly-2022-05-05-015322) with above steps, it works well and does not have the issue. Double tested 4.10 again (4.10.0-0.nightly-2022-05-06-010401), it still has the issue:
$ oc login -u testuser-13
Check oauth-apiserver audit logs:
$ PATTERN="managedFields"
$ MASTERS=`oc get no | grep master | grep -o '^[^ ]*'`
$ for i in $MASTERS; do
  oc debug no/$i -- chroot /host bash -c "grep -hE '$PATTERN' /var/log/oauth-apiserver/audit*.log || true"
done > audit-oauth-apiserver_4.10_test_again.log
$ cat audit-oauth-apiserver_4.10_test_again.log
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"26bf867a-60a3-4d8e-a62b-9685d0f9c4d9","stage":"ResponseComplete","requestURI":"/apis/user.openshift.io/v1/identities","verb":"create","user":{"username":"system:serviceaccount:openshift-authentication:oauth-openshift","groups":["system:serviceaccounts","system:serviceaccounts:openshift-authentication","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["oauth-openshift-b68f59c99-r8bz5"],"authentication.kubernetes.io/pod-uid":["c178e769-ad21-4066-84ab-1abbb271961b"]}},"sourceIPs":["10.0.135.123","10.129.0.1"],"userAgent":"oauth-server/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"identities","name":"flexy-htpasswd-provider:testuser-13","apiGroup":"user.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Identity","apiVersion":"user.openshift.io/v1","metadata":{"name":"flexy-htpasswd-provider:testuser-13","creationTimestamp":null},"providerName":"flexy-htpasswd-provider","providerUserName":"testuser-13","user":{"name":"testuser-13","uid":"c1046d6a-9529-486d-bc0e-f81c31c033e1"}},"responseObject":{"kind":"Identity","apiVersion":"user.openshift.io/v1","metadata":{"name":"flexy-htpasswd-provider:testuser-13","uid":"a9d37da6-2f15-4689-9441-b72781505810","resourceVersion":"58904","creationTimestamp":"2022-05-06T10:09:29Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"user.openshift.io/v1","time":"2022-05-06T10:09:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:providerName":{},"f:providerUserName":{},"f:user":{}}}]},"providerName":"flexy-htpasswd-provider","providerUserName":"testuser-13","user":{"name":"testuser-13","uid":"c1046d6a-9529-486d-bc0e-f81c31c033e1"}},"requestReceivedTimestamp":"2022-05-06T10:09:29.613246Z","stageTimestamp":"2022-05-06T10:09:29.629455Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-authentication\" of ClusterRole \"cluster-admin\" to ServiceAccount \"oauth-openshift/openshift-authentication\""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8bafc8a4-ed8a-4d1a-9cc8-32538eac126b","stage":"ResponseComplete","requestURI":"/apis/oauth.openshift.io/v1/oauthauthorizetokens","verb":"create","user":{"username":"system:serviceaccount:openshift-authentication:oauth-openshift","groups":["system:serviceaccounts","system:serviceaccounts:openshift-authentication","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["oauth-openshift-b68f59c99-r8bz5"],"authentication.kubernetes.io/pod-uid":["c178e769-ad21-4066-84ab-1abbb271961b"]}},"sourceIPs":["10.0.135.123","10.129.0.1"],"userAgent":"oauth-server/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"oauthauthorizetokens","name":"sha256~2ze0U5zocUK0v-GTUZhNNQ1a3ZAD9u5JMD4k0khAXEc","apiGroup":"oauth.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"OAuthAuthorizeToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~2ze0U5zocUK0v-GTUZhNNQ1a3ZAD9u5JMD4k0khAXEc","creationTimestamp":null},"clientName":"openshift-challenging-client","expiresIn":300,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","codeChallenge":"TAGxO_wH_v6hJWlPm2tqOQ_rX8Wu6cqZmn-qWuohz5U","codeChallengeMethod":"S256"},"responseObject":{"kind":"OAuthAuthorizeToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~2ze0U5zocUK0v-GTUZhNNQ1a3ZAD9u5JMD4k0khAXEc","uid":"6d9c36ba-2f99-4d29-a250-c0524988fc26","resourceVersion":"58905","creationTimestamp":"2022-05-06T10:09:29Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"oauth.openshift.io/v1","time":"2022-05-06T10:09:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:clientName":{},"f:codeChallenge":{},"f:codeChallengeMethod":{},"f:expiresIn":{},"f:redirectURI":{},"f:scopes":{},"f:userName":{},"f:userUID":{}}}]},"clientName":"openshift-challenging-client","expiresIn":300,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","codeChallenge":"TAGxO_wH_v6hJWlPm2tqOQ_rX8Wu6cqZmn-qWuohz5U","codeChallengeMethod":"S256"},"requestReceivedTimestamp":"2022-05-06T10:09:29.637719Z","stageTimestamp":"2022-05-06T10:09:29.648750Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-authentication\" of ClusterRole \"cluster-admin\" to ServiceAccount \"oauth-openshift/openshift-authentication\""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d1a9ed04-e9f7-4ba4-bacc-5e8be76fb2c6","stage":"ResponseComplete","requestURI":"/apis/oauth.openshift.io/v1/oauthaccesstokens","verb":"create","user":{"username":"system:serviceaccount:openshift-authentication:oauth-openshift","groups":["system:serviceaccounts","system:serviceaccounts:openshift-authentication","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["oauth-openshift-b68f59c99-r8bz5"],"authentication.kubernetes.io/pod-uid":["c178e769-ad21-4066-84ab-1abbb271961b"]}},"sourceIPs":["10.0.135.123","10.129.0.1"],"userAgent":"oauth-server/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"oauthaccesstokens","name":"sha256~bT09ntIOWXkw_AbHxukSokLsbcxW58VCAgMx1zZ6aU4","apiGroup":"oauth.openshift.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"OAuthAccessToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~bT09ntIOWXkw_AbHxukSokLsbcxW58VCAgMx1zZ6aU4","creationTimestamp":null},"clientName":"openshift-challenging-client","expiresIn":86400,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","authorizeToken":"sha256~ua32P8k-C2RMNDAj4gk-x-5slEtGJ3m9-P-qUXhKQ6Y"},"responseObject":{"kind":"OAuthAccessToken","apiVersion":"oauth.openshift.io/v1","metadata":{"name":"sha256~bT09ntIOWXkw_AbHxukSokLsbcxW58VCAgMx1zZ6aU4","uid":"b65684b5-798a-4051-aa39-94dc1c3ebc89","resourceVersion":"58906","creationTimestamp":"2022-05-06T10:09:29Z","managedFields":[{"manager":"oauth-server","operation":"Update","apiVersion":"oauth.openshift.io/v1","time":"2022-05-06T10:09:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:authorizeToken":{},"f:clientName":{},"f:expiresIn":{},"f:redirectURI":{},"f:scopes":{},"f:userName":{},"f:userUID":{}}}]},"clientName":"openshift-challenging-client","expiresIn":86400,"scopes":["user:full"],"redirectURI":"https://oauth-openshift.apps.../oauth/token/implicit","userName":"testuser-13","userUID":"c1046d6a-9529-486d-bc0e-f81c31c033e1","authorizeToken":"sha256~ua32P8k-C2RMNDAj4gk-x-5slEtGJ3m9-P-qUXhKQ6Y"},"requestReceivedTimestamp":"2022-05-06T10:09:29.685242Z","stageTimestamp":"2022-05-06T10:09:29.695344Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:openshift-authentication\" of ClusterRole \"cluster-admin\" to ServiceAccount \"oauth-openshift/openshift-authentication\""}}
...

This bug ID was used to track 4.10, it still has the bug, not sure if 4.10 needs fix.

Comment 8 Pierre Prinetti 2022-05-06 13:35:47 UTC
I am going to close this report, as the issue is fixed in 4.11. As for 4.10, my understanding is that the impact is mild enough that it doesn't require a backport.

Comment 9 Pierre Prinetti 2022-05-06 13:36:14 UTC
Thank you!


Note You need to log in before you can comment on or make changes to this bug.