New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openshift-node is logging private RSA keys to the systemd journal #3951
Comments
|
These are the router credentials currently stored in envvars. Same exists for the registry pod |
|
What log level should we be defaulting users to at this point? |
|
4 is "debug", 2 is "normal verbosity", 3 is "more than normal". |
|
@wshearn agreed. My question was somewhat tangential, sorry. |
|
Should we expect envvars to contain secret values? |
|
@liggitt What about generating a secret store and mounting that into the container? That could allow people to still easily overwrite the secrets if they want while still providing some security around them. |
|
Converting registry/router to use service account credentials (as secrets) is already planned, just not done yet |
|
Found another place this is being spit out (probably stored in the same place on the backend) |
|
Right, the root cause is storing the cert/key as envvars in the pod, which is what needs to stop. |
|
--credentials has been deprecated for both router and registry commands. I'd like to stop generating the cert-based credentials for the register and router post-1.2, and remove the --credentials option entirely by 1.3 |
|
Deprecated in 1.2? it's littered all over our docs currently. |
|
It's still present, functional, and supported, but isn't necessary and is discouraged. Docs still need updating, on my list. |
|
Wait, what is 1.2 and 1.3? The git tags show the latest stable release as v1.1.6 |
the future :) |
|
Ah, ok. The way @sdodson said "depricated in 1.2?" sounded past tense and I was confused. Thanks :) |
|
So FYI, I stumbled on that while looking for bug, and asked for a CVE to be assigned: Answer: So that's CVE-2015-8945. |
The text was updated successfully, but these errors were encountered: