Closed lukeelten closed 8 months ago
Hi, thank you for reporting this I will be working on this today and hope to get a fix shortly.
Hi @lukeelten , can you provide any details on what features you are using, route certificate, truststore creation, etc? I am trying to duplicate the issue so that I can confirm a fix.
We use the operator mainly to copy certificates from secrets to routes. I think some users use it to create java keystores or to inject CA bundles.
I guess I missed an important detail: The log output comes from the kube-rbac-proxy sidecar container.
So on a default installation of the operator the sidecar is deployed with -v=10
verbose mode, which logs all HTTP requests including the access token.
Hi @lukeelten,
I am still struggling to duplicate the issue, could you provide the image of the sidecar proxy? Mine is currently using the following to try to duplicate
quay.io/redhat-cop/cert-utils-operator@sha256:57567c570c6d2c3b0f5cf2eef7526e302396f313503735fee2c5eb1c3a21ba8d
quay.io/redhat-cop/kube-rbac-proxy@sha256:c68135620167c41e3d9f6c1d2ca1eb8fa24312b86186d09b8010656b9d25fb47
This is the deployment a brand new installation of the operator creates. The images are:
The problematic line appears to be --v=10
on the kube-rbac-proxy
sidecar which automatically logs all incoming HTTP requests including all headers.
kind: Deployment
apiVersion: apps/v1
metadata:
name: cert-utils-operator-controller-manager
namespace: cert-utils-operator
ownerReferences:
- apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
name: cert-utils-operator.v1.3.11
uid: dc59b5e8-6ce4-406b-b9e4-2bd97784d783
controller: false
blockOwnerDeletion: false
labels:
olm.deployment-spec-hash: 7cbf8f97bf
olm.owner: cert-utils-operator.v1.3.11
olm.owner.kind: ClusterServiceVersion
olm.owner.namespace: cert-utils-operator
operators.coreos.com/cert-utils-operator.cert-utils-operator: ''
spec:
replicas: 1
selector:
matchLabels:
control-plane: cert-utils-operator
template:
metadata:
creationTimestamp: null
labels:
control-plane: cert-utils-operator
annotations:
operators.operatorframework.io/builder: operator-sdk-v1.8.0+git
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
certified: 'false'
olm.targetNamespaces: ''
operatorframework.io/properties: >-
{"properties":[{"type":"olm.package","value":{"packageName":"cert-utils-operator","version":"1.3.11"}}]}
repository: 'https://github.com/redhat-cop/cert-utils-operator'
support: Best Effort
operatorframework.io/cluster-monitoring: 'true'
operators.openshift.io/infrastructure-features: '["Disconnected"]'
alm-examples: '[]'
capabilities: Deep Insights
olm.operatorNamespace: cert-utils-operator
containerImage: >-
quay.io/redhat-cop/cert-utils-operator@sha256:57567c570c6d2c3b0f5cf2eef7526e302396f313503735fee2c5eb1c3a21ba8d
createdAt: '2023-04-26T16:55:05Z'
categories: Security
operatorframework.io/suggested-namespace: cert-utils-operator
description: Set of utilities for TLS certificates
olm.operatorGroup: cert-utils-operator
spec:
restartPolicy: Always
serviceAccountName: controller-manager
schedulerName: default-scheduler
terminationGracePeriodSeconds: 10
securityContext: {}
containers:
- resources: {}
terminationMessagePath: /dev/termination-log
name: kube-rbac-proxy
env:
- name: OPERATOR_CONDITION_NAME
value: cert-utils-operator.v1.3.11
ports:
- name: https
containerPort: 8443
protocol: TCP
imagePullPolicy: IfNotPresent
volumeMounts:
- name: tls-cert
mountPath: /etc/certs/tls
terminationMessagePolicy: File
image: >-
quay.io/redhat-cop/kube-rbac-proxy@sha256:c68135620167c41e3d9f6c1d2ca1eb8fa24312b86186d09b8010656b9d25fb47
args:
- '--secure-listen-address=0.0.0.0:8443'
- '--upstream=http://127.0.0.1:8080/'
- '--logtostderr=true'
- '--v=10'
- '--tls-cert-file=/etc/certs/tls/tls.crt'
- '--tls-private-key-file=/etc/certs/tls/tls.key'
- resources:
requests:
cpu: 100m
memory: 20Mi
readinessProbe:
httpGet:
path: /readyz
port: 8081
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
terminationMessagePath: /dev/termination-log
name: manager
command:
- /manager
livenessProbe:
httpGet:
path: /healthz
port: 8081
scheme: HTTP
initialDelaySeconds: 15
timeoutSeconds: 1
periodSeconds: 20
successThreshold: 1
failureThreshold: 3
env:
- name: OPERATOR_CONDITION_NAME
value: cert-utils-operator.v1.3.11
securityContext:
allowPrivilegeEscalation: false
imagePullPolicy: IfNotPresent
terminationMessagePolicy: File
image: >-
quay.io/redhat-cop/cert-utils-operator@sha256:57567c570c6d2c3b0f5cf2eef7526e302396f313503735fee2c5eb1c3a21ba8d
args:
- '--health-probe-bind-address=:8081'
- '--metrics-bind-address=127.0.0.1:8080'
- '--leader-elect'
serviceAccount: controller-manager
volumes:
- name: tls-cert
secret:
secretName: cert-utils-operator-certs
defaultMode: 420
dnsPolicy: ClusterFirst
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 1
progressDeadlineSeconds: 600
I installed the cert-utils operator from OperatorHub on OpenShift. In default configuration it logs valid access token to the container log output.
OpenShift Version: 4.12.40 Operator Version: 1.3.11 Source: OperatorHub
This is problematic because a) it bypasses the security of the service account secrets and b) we store logs in a central log store which now contains valid secrets.
Expected behavior: The operator should not output any secret information, including access token, to the container log stream.
Example log output:
Test Login with access token