Skip to content

Prevent ACR refresh token exposure in EXECVE audit logs#4675

Open
ehvs wants to merge 1 commit intomasterfrom
ehvs/ARO-24815
Open

Prevent ACR refresh token exposure in EXECVE audit logs#4675
ehvs wants to merge 1 commit intomasterfrom
ehvs/ARO-24815

Conversation

@ehvs
Copy link
Copy Markdown
Collaborator

@ehvs ehvs commented Mar 10, 2026
edited by s-fairchild
Loading

Which issue this PR addresses:

Replace az acr login --name with az acr login --expose-token + podman login --password-stdin in pull_container_images() to prevent the ACR refresh token from appearing as a command-line argument in auditd EXECVE records.

https://issues.redhat.com/browse/ARO-24815

why we need it:

During RP/Gateway VMSS bootstrap, pull_container_images() calls az acr login --name $registry. The Azure CLI internally spawns a docker login --password $token subprocess, which exposes the ACR refresh token as a plaintext command-line argument. This is captured by auditd EXECVE syscall logging.

podman --password-stdin should be used rather than az acr log to prevent the secret variable from being shown in shell output.

What is PR does

Tip

Files that directly fix ARO-24815 are (to assist reviewing changes):

  1. pkg/deploy/generator/scripts/rpVMSS.sh
  2. pkg/deploy/generator/scripts/util-common.sh
  1. Unsets xtrace shell option while working with sensitive information. Variables containing sensitive information are written to output when xtrace is set.
    • While logging into Azure acr via podman
    • While updating system TLS certificates
  2. Addresses shellcheck warnings
    • The warnings that can be safely disregarded have been disabled
    • Some warnings were valid, that code has been refactored

General improvements to improve readability

  1. All function and variable descriptions have been refactored to have a uniform style.
  2. Command/function calls with more than three options have been broken up into multiple lines.

Test plan for issue:

Deploying to INT to

  • Ensure the problem is resolved
  • Ensure no new errors/failures were introduced

Successfully deployed in pipelines:

  1. INT
  2. Canary
    • The script succeeds until the aro image pull is attempted. It tries to pull an image based on the tag, which apparently is no longer created.
  3. Re-releasing to INT to confirm no regression after rebasing from master

Copilot AI review requested due to automatic review settings March 10, 2026 17:04
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the VMSS bootstrapping image-pull flow to avoid exposing ACR credentials in process arguments by switching from az acr login to token-based login and podman login --password-stdin.

Changes:

  • Replace az acr login --name <registry> with az acr login --expose-token + podman login --password-stdin in pull_container_images().
  • Derive ACR registry hostname from ACRRESOURCEID for use with podman login.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

s-fairchild
s-fairchild reviewed Mar 10, 2026
View reviewed changes
s-fairchild
s-fairchild reviewed Mar 10, 2026
View reviewed changes
@s-fairchild s-fairchild force-pushed the ehvs/ARO-24815 branch 2 times, most recently from fff96c9 to bd9f985 Compare March 17, 2026 18:04
Copilot AI review requested due to automatic review settings March 17, 2026 18:04
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

Copilot AI review requested due to automatic review settings March 17, 2026 19:16
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

@github-actions github-actions bot added the needs-rebase branch needs a rebase label Mar 25, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 25, 2026

Please rebase pull request.

@s-fairchild s-fairchild added the next-release To be included in the next RP release rollout label Mar 25, 2026
@github-actions github-actions bot removed the needs-rebase branch needs a rebase label Mar 25, 2026
@cadenmarchese
Copy link
Copy Markdown
Member

cadenmarchese commented Mar 25, 2026

/azp run ci

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Mar 25, 2026

Azure Pipelines successfully started running 1 pipeline(s).

Copilot AI review requested due to automatic review settings March 26, 2026 15:14
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

@ehvs ehvs added the hold Hold label Mar 30, 2026
Copilot AI review requested due to automatic review settings March 30, 2026 15:13
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

Copilot AI review requested due to automatic review settings March 30, 2026 18:32
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

@s-fairchild
Copy link
Copy Markdown
Collaborator

s-fairchild commented Mar 30, 2026

/azp run ci

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Mar 30, 2026

Azure Pipelines successfully started running 1 pipeline(s).

@github-actions github-actions bot added the needs-rebase branch needs a rebase label Mar 31, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 31, 2026

Please rebase pull request.

@s-fairchild
Unset xtrace while logging into acr via podman to prevent exposing th…
f6bbea4 
…e acr login secret

Reference: https://portal.microsofticm.com/imp/v5/incidents/details/752908291/summary

Add unset xtrace while configuring tls certificates
    * To be extra safe and ensure no certificate details are logged via shell tracing.

Add shell check comments, Update function descriptions
    * Add shellcheck comments for warnings that can be safely ignored.
    * Improve function readability by formatting them all in the same style.

Address shellcheck warnings in bootstrap scripts
    * Several warnings were unaddressed. Some of them were disabled as they can be safely ignored.
    * Others were refactored as the warnings were legitimate.
Copilot AI review requested due to automatic review settings April 8, 2026 16:31
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

@github-actions github-actions bot removed the needs-rebase branch needs a rebase label Apr 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevinobriendotca kevinobriendotca kevinobriendotca left review comments

@rajdeepc2792 rajdeepc2792 rajdeepc2792 left review comments

@s-fairchild s-fairchild s-fairchild left review comments

Copilot code review Copilot Copilot left review comments

@mociarain mociarain mociarain approved these changes

@tsatam tsatam tsatam approved these changes

@bennerv bennerv Awaiting requested review from bennerv bennerv is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@mrWinston mrWinston Awaiting requested review from mrWinston mrWinston is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cadenmarchese cadenmarchese Awaiting requested review from cadenmarchese cadenmarchese is a code owner

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 is a code owner

@hlipsig hlipsig Awaiting requested review from hlipsig hlipsig is a code owner

@tiguelu tiguelu Awaiting requested review from tiguelu tiguelu is a code owner

@kimorris27 kimorris27 Awaiting requested review from kimorris27 kimorris27 is a code owner

@sankur-codes sankur-codes Awaiting requested review from sankur-codes sankur-codes is a code owner

@wanghaoran1988 wanghaoran1988 Awaiting requested review from wanghaoran1988 wanghaoran1988 is a code owner

@alcasim alcasim Awaiting requested review from alcasim alcasim is a code owner

@tuxerrante tuxerrante Awaiting requested review from tuxerrante tuxerrante is a code owner

@ventifus ventifus Awaiting requested review from ventifus ventifus is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

hold Hold loki next-release To be included in the next RP release rollout priority-high High priority issue or pull request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.