Bug 2088033 - Clear text password/secret in operator pod
Summary: Clear text password/secret in operator pod
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 4.11
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.12.0
Assignee: Michael Engel
QA Contact: Veronika Fuxova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-18 17:21 UTC by Peter Larsen
Modified: 2023-01-17 19:49 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-17 19:48:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovirt-csi-driver-operator pull 99 0 None Merged Bug 2088033: Clear text password stored on disk 2022-08-24 05:12:32 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:49:15 UTC

Description Peter Larsen 2022-05-18 17:21:38 UTC
Description of problem:

The ovirt credentials are available as clear text in the csi-driver operator:

$ oc exec -it ovirt-csi-driver-operator-86db4cb597-rfgwb -- cat /tmp/config/ovirt-config.yaml
Defaulted container "ovirt-csi-driver-operator" out of: ovirt-csi-driver-operator, prepare-ovirt-config (init)
ovirt_url: https://rhvm44.example.org/ovirt-engine/api
ovirt_username: ocp
ovirt_password: CLEARTEXTPASSWORD
# set a valid path only if ca bundle has content
ovirt_cafile: /tmp/config/ovirt-engine-ca.pem
ovirt_insecure: false

Version-Release number of selected component (if applicable):

Client Version: 4.11.0-0.ci-2022-05-16-170425
Kustomize Version: v4.5.4
Kubernetes Version: v1.23.3-2049+69213f85dee380-dirt


How reproducible:
Every time. The operator deployment sets up ENV from secrets and echos the values of the ENV files into /tmp/config/ovirt-config.yaml where they stay accessible to any process/code running. 

Expected results:
Credentials/URL scrambled or not accessible to other injected processes.

Comment 2 Michael Engel 2022-08-18 08:55:44 UTC
This issue is mitigated by specifying the mounted volume as Memory so the information is no longer stored on an underlying disk (where the credentials could still readable). This was done in https://github.com/openshift/ovirt-csi-driver-operator/pull/99
Unfortunately, we can't do much more about this issue. If someone has access to the pod or filesystem, he can also dump the RAM and get the same information. Therefore, we have to close this as a CANT FIX.

Comment 3 Veronika Fuxova 2022-08-26 11:27:50 UTC
Verified on: 
OCP 4.12.0-0.nightly-2022-08-23-223922 
RHV 4.4 SP1 [ovirt-engine-4.5.2.1-0.1.el8ev] 

Verified that the fix's changes are reflected in the daemonset and that /tmp/config is mounted as tmpfs inside the ovirt-csi-driver-node.

Comment 6 errata-xmlrpc 2023-01-17 19:48:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399


Note You need to log in before you can comment on or make changes to this bug.