Skip to content

OCPBUGS-66403: Remove log exposing kubeconfig #5469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Dec 11, 2025
Merged

OCPBUGS-66403: Remove log exposing kubeconfig #5469

openshift-merge-bot merged 1 commit into from
Dec 11, 2025
+1 −1

Conversation

@umohnani8
Copy link
Contributor

@umohnani8 umohnani8 commented Dec 8, 2025

Fixes https://issues.redhat.com/browse/OCPBUGS-66403

- What I did
MCD log on master nodes was exposing the kubeconfig in the logs. Remove that log so we are not accidentally leaking sensitive information.

- How to verify it
Ensure the MCD logs no longer have the kubeconfig text showing up in the log.

- Description for the changelog
Remove log exposing kubeconfig in MCD logs

@umohnani8
Remove log exposing kubeconfig
7681165 
MCD log on master nodes was exposing the kubeconfig
in the logs. Remove that log so we are not accidentally
leaking sensitive information.

Signed-off-by: Urvashi <umohnani@redhat.com>
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Dec 8, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 8, 2025

@umohnani8: This pull request references Jira Issue OCPBUGS-66403, which is invalid:

  • expected the weakness to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Fixes https://issues.redhat.com/browse/OCPBUGS-66403

- What I did
MCD log on master nodes was exposing the kubeconfig in the logs. Remove that log so we are not accidentally leaking sensitive information.

- How to verify it
Ensure the MCD logs no longer have the kubeconfig text showing up in the log.

- Description for the changelog
Remove log exposing kubeconfig in MCD logs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 8, 2025
@umohnani8
Copy link
Contributor Author

umohnani8 commented Dec 8, 2025

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Dec 8, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 8, 2025

@umohnani8: This pull request references Jira Issue OCPBUGS-66403, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from sergiordlr December 8, 2025 14:40
@umohnani8
Copy link
Contributor Author

umohnani8 commented Dec 9, 2025

/retest

isabella-janssen
isabella-janssen reviewed Dec 9, 2025
View reviewed changes
Copy link
Member

@isabella-janssen isabella-janssen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ltgm

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 9, 2025
edited
Loading

@umohnani8: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/bootstrap-unit 7681165 link false /test bootstrap-unit

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

yuqi-zhang
yuqi-zhang approved these changes Dec 10, 2025
View reviewed changes
Copy link
Contributor

@yuqi-zhang yuqi-zhang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ltgm

Ah, was wondering why the bot was confused, lol

/lgtm
/label acknowledge-critical-fixes-only

This is log only and should not affect any payloads

pkg/daemon/certificate_writer.go

pathToData[kubeConfigPath] = newData
klog.Infof("Writing new Data to /etc/kubernetes/kubeconfig: %s", string(newData))
klog.Infof("Writing new Data to /etc/kubernetes/kubeconfig")
Copy link
Contributor

@yuqi-zhang yuqi-zhang Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: technically this should be the unformatted info but it shouldn't affect anything

@openshift-ci openshift-ci bot added the acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. label Dec 10, 2025
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 10, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 10, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: umohnani8, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [umohnani8,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sergiordlr
Copy link
Contributor

sergiordlr commented Dec 11, 2025

Verified using IPI on AWS

We can see in the master nodes that the certificate is not printed anymore.

I1211 09:04:25.828195    5112 update.go:2755] "Skipping kubelet restart"
I1211 09:04:25.829420    5112 update.go:2755] "Cert not found in kubeconfig. This means we need to write to disk. Subject is: openshift-kube-apiserver-operator_localhost-recovery-serving-signer@1765443589"
I1211 09:04:25.830567    5112 update.go:2755] "Skipping kubelet restart"
I1211 09:04:25.832356    5112 certificate_writer.go:224] Writing new Data to /etc/kubernetes/kubeconfig <----- THIS WAS THE OFFENDING LINE WITH THE CERTIFICATE
I1211 09:04:25.849704    5112 certificate_writer.go:294] Certificate was synced from controllerconfig resourceVersion 13783

We have executed the security e2e test cases and we we have reviewed the generated MCD logs. We haven't seen any other certificate being printed.

/label qe-approved
/verified by @sergiordlr

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Dec 11, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 11, 2025

@umohnani8: This pull request references Jira Issue OCPBUGS-66403, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

Details

In response to this:

Fixes https://issues.redhat.com/browse/OCPBUGS-66403

- What I did
MCD log on master nodes was exposing the kubeconfig in the logs. Remove that log so we are not accidentally leaking sensitive information.

- How to verify it
Ensure the MCD logs no longer have the kubeconfig text showing up in the log.

- Description for the changelog
Remove log exposing kubeconfig in MCD logs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Dec 11, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 11, 2025

@sergiordlr: This PR has been marked as verified by @sergiordlr.

Details

In response to this:

Verified using IPI on AWS

We can see in the master nodes that the certificate is not printed anymore.

I1211 09:04:25.828195    5112 update.go:2755] "Skipping kubelet restart"
I1211 09:04:25.829420    5112 update.go:2755] "Cert not found in kubeconfig. This means we need to write to disk. Subject is: openshift-kube-apiserver-operator_localhost-recovery-serving-signer@1765443589"
I1211 09:04:25.830567    5112 update.go:2755] "Skipping kubelet restart"
I1211 09:04:25.832356    5112 certificate_writer.go:224] Writing new Data to /etc/kubernetes/kubeconfig <----- THIS WAS THE OFFENDING LINE WITH THE CERTIFICATE
I1211 09:04:25.849704    5112 certificate_writer.go:294] Certificate was synced from controllerconfig resourceVersion 13783

We have executed the security e2e test cases and we we have reviewed the generated MCD logs. We haven't seen any other certificate being printed.

/label qe-approved
/verified by @sergiordlr

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 11, 2025

/retest-required

Remaining retests: 0 against base HEAD e2f6042 and 2 for PR HEAD 7681165 in total

@isabella-janssen
Copy link
Member

isabella-janssen commented Dec 11, 2025

/test e2e-aws-ovn

@openshift-merge-bot openshift-merge-bot bot merged commit 5edd33d into openshift:main Dec 11, 2025
13 of 14 checks passed
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 11, 2025

@umohnani8: Jira Issue Verification Checks: Jira Issue OCPBUGS-66403
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-66403 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Fixes https://issues.redhat.com/browse/OCPBUGS-66403

- What I did
MCD log on master nodes was exposing the kubeconfig in the logs. Remove that log so we are not accidentally leaking sensitive information.

- How to verify it
Ensure the MCD logs no longer have the kubeconfig text showing up in the log.

- Description for the changelog
Remove log exposing kubeconfig in MCD logs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Dec 13, 2025

Fix included in accepted release 4.21.0-0.nightly-2025-12-13-080958

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuqi-zhang yuqi-zhang yuqi-zhang approved these changes

@dkhater-redhat dkhater-redhat Awaiting requested review from dkhater-redhat

@RishabhSaini RishabhSaini Awaiting requested review from RishabhSaini

@sergiordlr sergiordlr Awaiting requested review from sergiordlr

+1 more reviewer

@isabella-janssen isabella-janssen isabella-janssen left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@yuqi-zhang yuqi-zhang

Labels

acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@umohnani8 @openshift-ci-robot @sergiordlr @isabella-janssen @openshift-merge-robot @yuqi-zhang