Bug 2073220 - WriteRequestBodies audit profile records routes/status events at RequestResponse level
Summary: WriteRequestBodies audit profile records routes/status events at RequestRespo...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.10
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.10.z
Assignee: Abu Kashem
QA Contact: Deepak Punia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-07 23:09 UTC by Grant Sleeman
Modified: 2023-01-16 11:33 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-16 11:33:33 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1375 0 None open Bug 2073220: routes/status resources can leak sensitive data 2022-09-05 08:44:01 UTC
Github openshift library-go pull 1394 0 None open routes/status resources can leak sensitive data 2022-09-01 07:37:14 UTC

Description Grant Sleeman 2022-04-07 23:09:50 UTC
Description of problem:

https://docs.openshift.com/container-platform/4.10/security/audit-log-policy-config.html#about-audit-log-profiles_audit-log-policy-config

Version-Release number of selected component (if applicable): 4.*

How reproducible: always

Steps to Reproduce:
1. Set audit profile to WriteRequestBodies
2. Wait for api server rollout to complete
3. tail -f /var/log/kube-apiserver/audit.log | grep routes/status

Actual results:

Write events to routes/status are recorded at the RequestResponse level, which often includes keys and certificates.

Expected results:

Events involving routes should always be recorded at the Metadata level, per the documentation at https://docs.openshift.com/container-platform/4.10/security/audit-log-policy-config.html#about-audit-log-profiles_audit-log-policy-config


Additional info:

Comment 1 taxu 2022-05-30 00:56:33 UTC
Hi Team, shall we please have a rough ETA or plans for this bug/complaince issue?

Comment 2 gilins 2022-06-06 16:15:55 UTC
Hello team,

Could we please have an estimation of when this is going to be fixed? We have a customer thas has inquired about this.

Comment 12 Abu Kashem 2022-08-24 14:02:08 UTC
kewang,
can you please check to see if you can repro it on 4.9.25?

Comment 13 Abu Kashem 2022-08-24 14:06:18 UTC
gilins,

> I think Grant has been able to reproduce that on a 4.9.25 cluster.

can Grant share the actual audit event that has the cert/key (redacted)?

Comment 23 Abu Kashem 2022-11-04 19:17:20 UTC
dpunia,
I set the target version to 4.12.0, I believe qe can start testing it now.

Comment 24 Abu Kashem 2022-11-04 19:24:20 UTC
I fixed it, this is the 4.12.0 bug https://issues.redhat.com//browse/OCPBUGS-3293

Comment 25 Abu Kashem 2022-11-04 19:25:59 UTC
Depends on https://issues.redhat.com/browse/OCPBUGS-3290

Comment 26 Michal Fojtik 2023-01-16 11:33:33 UTC
Dear reporter, we greatly appreciate the bug you have reported here. Unfortunately, due to migration to a new issue-tracking system (https://issues.redhat.com/), we cannot continue triaging bugs reported in Bugzilla. Since this bug has been stale for multiple days, we, therefore, decided to close this bug.

If you think this is a mistake or this bug has a higher priority or severity as set today, please feel free to reopen this bug and tell us why. We are going to move every re-opened bug to https://issues.redhat.com. 

Thank you for your patience and understanding.


Note You need to log in before you can comment on or make changes to this bug.