Description of problem: The ovirt credentials are available as clear text in the csi-driver operator: $ oc exec -it ovirt-csi-driver-operator-86db4cb597-rfgwb -- cat /tmp/config/ovirt-config.yaml Defaulted container "ovirt-csi-driver-operator" out of: ovirt-csi-driver-operator, prepare-ovirt-config (init) ovirt_url: https://rhvm44.example.org/ovirt-engine/api ovirt_username: ocp ovirt_password: CLEARTEXTPASSWORD # set a valid path only if ca bundle has content ovirt_cafile: /tmp/config/ovirt-engine-ca.pem ovirt_insecure: false Version-Release number of selected component (if applicable): Client Version: 4.11.0-0.ci-2022-05-16-170425 Kustomize Version: v4.5.4 Kubernetes Version: v1.23.3-2049+69213f85dee380-dirt How reproducible: Every time. The operator deployment sets up ENV from secrets and echos the values of the ENV files into /tmp/config/ovirt-config.yaml where they stay accessible to any process/code running. Expected results: Credentials/URL scrambled or not accessible to other injected processes.
This issue is mitigated by specifying the mounted volume as Memory so the information is no longer stored on an underlying disk (where the credentials could still readable). This was done in https://github.com/openshift/ovirt-csi-driver-operator/pull/99 Unfortunately, we can't do much more about this issue. If someone has access to the pod or filesystem, he can also dump the RAM and get the same information. Therefore, we have to close this as a CANT FIX.
Verified on: OCP 4.12.0-0.nightly-2022-08-23-223922 RHV 4.4 SP1 [ovirt-engine-4.5.2.1-0.1.el8ev] Verified that the fix's changes are reflected in the daemonset and that /tmp/config is mounted as tmpfs inside the ovirt-csi-driver-node.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399