Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets in containerized nodes are wrong due to encoding #5778

Merged
merged 2 commits into from
Nov 7, 2015
Merged

Secrets in containerized nodes are wrong due to encoding #5778

merged 2 commits into from
Nov 7, 2015

Conversation

smarterclayton
Copy link
Contributor

The upstream "fix" for writing secrets onto disk while containerized improperly mangled the content of the node.

@liggitt this is candidate because of containerized.

@smarterclayton
UPSTREAM: 16969: nsenter file writer mangles newlines
1e7209b 
Results in secret content being incorrect, service account ca.crt has \n
instead of actual newlines.
@smarterclayton
Make auth-in-container tests cause test failure again
b2e0262
@smarterclayton smarterclayton force-pushed the fix_secret_in_container branch from 24d0e5c to b2e0262 Compare November 7, 2015 16:58
@smarterclayton
Copy link
Contributor Author

[test]

@smarterclayton smarterclayton added this to the 1.1.0 milestone Nov 7, 2015
@openshift-bot
Copy link
Contributor

Evaluated for origin test up to b2e0262

@smarterclayton
Copy link
Contributor Author

@sdodson this resulted in containerized node being broken, which breaks builds and other things. If you were having problems with pushes, builds, anything that required auth to the master, this was it (was deploy broken for you?)

@smarterclayton smarterclayton added priority/P1 approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Nov 7, 2015
liggitt
liggitt reviewed Nov 7, 2015
View reviewed changes
Godeps/_workspace/src/k8s.io/kubernetes/pkg/util/io/writer.go
@@ -56,10 +58,11 @@ func (writer *NsenterWriter) WriteFile(filename string, data []byte, perm os.Fil
"--",
}

echo_args := append(base_args, "sh", "-c",
fmt.Sprintf("echo %q | cat > %s", data, filename))
echo_args := append(base_args, "sh", "-c", fmt.Sprintf("cat > %s", filename))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know all the things that call this. Is file name safe unquoted and unescaped?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is only one code path today that invokes this method, the inputs are the volume mount path (not user input) and secret data key (user input) but secret data key is strongly validated and path traversal should not be possible. Opened kubernetes/kubernetes#16971 to track resolution of that.

After review, for this code, in this spot, I believe we are safe unless someone else starts calling WriteFile.

@liggitt
Copy link
Contributor

liggitt commented Nov 7, 2015

Core change looks good, just the question on file name

@smarterclayton
Copy link
Contributor Author

Question answered sufficiently?

@liggitt
Copy link
Contributor

liggitt commented Nov 7, 2015

yeah, LGTM. Would like a follow up issue to revisit

@liggitt liggitt added the lgtm Indicates that a PR is ready to be merged. label Nov 7, 2015
@liggitt liggitt self-assigned this Nov 7, 2015
@smarterclayton
Copy link
Contributor Author

Upstream issue covers the revisit.

@smarterclayton
Copy link
Contributor Author

[merge]

@openshift-bot
Copy link
Contributor

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/6987/) (Image: devenv-rhel7_2657)

@openshift-bot
Copy link
Contributor

Evaluated for origin merge up to b2e0262

@openshift-bot
Copy link
Contributor

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/6987/)

openshift-bot pushed a commit that referenced this pull request Nov 7, 2015
Merge pull request #5778 from smarterclayton/fix_secret_in_container
b4bca5f 
Merged by openshift-bot
@openshift-bot openshift-bot merged commit b4bca5f into openshift:master Nov 7, 2015
@sdodson
Copy link
Member

sdodson commented Nov 8, 2015

@sdodson this resulted in containerized node being broken, which breaks builds and other things. If you were having problems with pushes, builds, anything that required auth to the master, this was it (was deploy br

No, I wasn't running into any problems like that. I was able to build the quickstarts just fine. Though I'm slightly confused as to why we weren't having problems now.

@smarterclayton
Copy link
Contributor Author

Builds are fine, deployments are likely to fail.

On Nov 7, 2015, at 7:30 PM, Scott Dodson [email protected] wrote:

@sdodson https://github.com/sdodson this resulted in containerized node
being broken, which breaks builds and other things. If you were having
problems with pushes, builds, anything that required auth to the master,
this was it (was deploy br

No, I wasn't running into any problems like that. I was able to build
examples just fine. Though I'm slightly confused as to why we weren't
having problems now.


Reply to this email directly or view it on GitHub
#5778 (comment).

@mfojtik mfojtik mentioned this pull request Nov 10, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. priority/P1
Projects
None yet
Milestone
1.1.0
Development

Successfully merging this pull request may close these issues.
4 participants
@smarterclayton @openshift-bot @liggitt @sdodson