Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update redacting functionality to redact all sensitive info in config when printing with view #109189

Merged
merged 3 commits into from Nov 8, 2022
Merged

Update redacting functionality to redact all sensitive info in config when printing with view #109189

merged 3 commits into from Nov 8, 2022

Conversation

mpuckett159
Copy link
Contributor

@mpuckett159 mpuckett159 commented Mar 31, 2022
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

Updates redacting functionality of kubectl config view to properly redact all config keys with a datapolicy tag. This is accomplished by introducing a new function RedactSecrets in client-go and then consuming it in kubectl.

Example usages

No flags:

❯ ./_output/local/bin/darwin/amd64/kubectl config view
apiVersion: v1
clusters: null
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: foo
  user:
    auth-provider:
      config:
        refresh-token: test1233
      name: ""
    client-certificate-data: DATA+OMITTED
    client-key-data: DATA+OMITTED
    exec:
      args:
      - test
      command: foo1
      env:
      - name: test
        value: vla2
      provideClusterInfo: false
    token: REDACTED
    password: REDACTED
    username: mpuckett

With --raw:

❯ ./_output/local/bin/darwin/amd64/kubectl config view --raw         
apiVersion: v1
clusters: null
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: foo
  user:
    auth-provider:
      config:
        refresh-token: test1233
      name: ""
    client-certificate-data: YWZmYWRzZmFzZGZz
    client-key-data: YWZmYWRzZmFzZGZz
    exec:
      args:
      - test
      command: foo1
      env:
      - name: test
        value: vla2
      provideClusterInfo: false
    token: YWZmYWRzZmFzZGZz
    password: fake-password
    username: mpuckett

Which issue(s) this PR fixes:

Fixes kubernetes/kubectl#1193

Does this PR introduce a user-facing change?

kubectl config view now automatically redacts any secret fields marked with a datapolicy tag

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 31, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @mpuckett159. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Mar 31, 2022
@k8s-ci-robot k8s-ci-robot added area/kubectl sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/cli Categorizes an issue or PR as relevant to SIG CLI. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 31, 2022
@mpuckett159
Copy link
Contributor Author

You'll notice in the above examples that users.foo.auth-provider.config.refresh-token is not redacted. I'm not exactly sure how we should god about doing that if it is desired to redact that, because this value is set by a simple map[string]string which can't have the datapolicy that I'm using to determine whether to redact or not. We could search for map keys that contain token or password maybe, even secret but because this is kind of a free form field it might just be better to manually remove the output of the entire object.

@mpuckett159 mpuckett159 changed the title Update redacting functionality to redact all sensitive info in config Update redacting functionality to redact all sensitive info in config when printing with view Mar 31, 2022
@fedebongio
Copy link
Contributor

/remove-sig api-machinery
/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Mar 31, 2022
@enj enj added this to Needs Triage in SIG Auth Old Apr 9, 2022
ardaguclu
ardaguclu reviewed Jun 7, 2022
View reviewed changes
Copy link
Member

@ardaguclu ardaguclu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @mpuckett159 !

staging/src/k8s.io/kubectl/pkg/cmd/config/view.go Outdated Show resolved Hide resolved
staging/src/k8s.io/client-go/tools/clientcmd/api/helpers.go Show resolved Hide resolved
staging/src/k8s.io/client-go/tools/clientcmd/api/helpers.go Show resolved Hide resolved
staging/src/k8s.io/client-go/tools/clientcmd/api/helpers.go Show resolved Hide resolved
@ardaguclu
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 7, 2022
@leilajal
Copy link
Contributor

leilajal commented Jun 9, 2022

/remove-sig api-machinery
/triage accepted

@k8s-ci-robot k8s-ci-robot added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jun 9, 2022
@mpuckett159 mpuckett159 force-pushed the feature/redact-config branch 2 times, most recently from ad84892 to 8c54589 Compare July 21, 2022 01:06
@mpuckett159
Copy link
Contributor Author

/retest-required

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 19, 2022
@mpuckett159
Copy link
Contributor Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added do-not-merge/contains-merge-commits Indicates a PR which contains merge commits. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 19, 2022
@mpuckett159
Copy link
Contributor Author

Sorry for the churn there, not exactly sure what I was thinking there 🙄

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/contains-merge-commits Indicates a PR which contains merge commits. label Oct 24, 2022
@soltysh
Copy link
Contributor

soltysh commented Oct 24, 2022

/test unit

@k8s-ci-robot
Copy link
Contributor

@soltysh: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-kubernetes-conformance-kind-ga-only-parallel
  • /test pull-kubernetes-coverage-unit
  • /test pull-kubernetes-dependencies
  • /test pull-kubernetes-dependencies-go-canary
  • /test pull-kubernetes-e2e-gce
  • /test pull-kubernetes-e2e-gce-100-performance
  • /test pull-kubernetes-e2e-gce-big-performance
  • /test pull-kubernetes-e2e-gce-canary
  • /test pull-kubernetes-e2e-gce-network-proxy-http-connect
  • /test pull-kubernetes-e2e-gce-no-stage
  • /test pull-kubernetes-e2e-gce-scale-performance-manual
  • /test pull-kubernetes-e2e-gce-ubuntu-containerd
  • /test pull-kubernetes-e2e-gce-ubuntu-containerd-canary
  • /test pull-kubernetes-e2e-kind
  • /test pull-kubernetes-e2e-kind-ipv6
  • /test pull-kubernetes-integration
  • /test pull-kubernetes-integration-go-canary
  • /test pull-kubernetes-kubemark-e2e-gce-scale
  • /test pull-kubernetes-node-e2e-containerd
  • /test pull-kubernetes-typecheck
  • /test pull-kubernetes-unit
  • /test pull-kubernetes-unit-go-canary
  • /test pull-kubernetes-update
  • /test pull-kubernetes-verify
  • /test pull-kubernetes-verify-go-canary
  • /test pull-kubernetes-verify-govet-levee

The following commands are available to trigger optional jobs:

  • /test check-dependency-stats
  • /test pull-ci-kubernetes-unit-windows
  • /test pull-e2e-gce-cloud-provider-disabled
  • /test pull-kubernetes-conformance-image-test
  • /test pull-kubernetes-conformance-kind-ga-only
  • /test pull-kubernetes-conformance-kind-ipv6-parallel
  • /test pull-kubernetes-cross
  • /test pull-kubernetes-e2e-capz-azure-disk
  • /test pull-kubernetes-e2e-capz-azure-disk-vmss
  • /test pull-kubernetes-e2e-capz-azure-file
  • /test pull-kubernetes-e2e-capz-azure-file-vmss
  • /test pull-kubernetes-e2e-capz-conformance
  • /test pull-kubernetes-e2e-capz-ha-control-plane
  • /test pull-kubernetes-e2e-capz-windows-containerd
  • /test pull-kubernetes-e2e-containerd-gce
  • /test pull-kubernetes-e2e-gce-alpha-features
  • /test pull-kubernetes-e2e-gce-correctness
  • /test pull-kubernetes-e2e-gce-csi-serial
  • /test pull-kubernetes-e2e-gce-device-plugin-gpu
  • /test pull-kubernetes-e2e-gce-kubetest2
  • /test pull-kubernetes-e2e-gce-network-proxy-grpc
  • /test pull-kubernetes-e2e-gce-storage-disruptive
  • /test pull-kubernetes-e2e-gce-storage-slow
  • /test pull-kubernetes-e2e-gce-storage-snapshot
  • /test pull-kubernetes-e2e-gce-ubuntu-containerd-serial
  • /test pull-kubernetes-e2e-gci-gce-autoscaling
  • /test pull-kubernetes-e2e-gci-gce-ingress
  • /test pull-kubernetes-e2e-gci-gce-ipvs
  • /test pull-kubernetes-e2e-kind-canary
  • /test pull-kubernetes-e2e-kind-dual-canary
  • /test pull-kubernetes-e2e-kind-ipv6-canary
  • /test pull-kubernetes-e2e-kind-ipvs-dual-canary
  • /test pull-kubernetes-e2e-kind-multizone
  • /test pull-kubernetes-e2e-kops-aws
  • /test pull-kubernetes-e2e-kubelet-credential-provider
  • /test pull-kubernetes-e2e-ubuntu-gce-network-policies
  • /test pull-kubernetes-kind-dra
  • /test pull-kubernetes-kubemark-e2e-gce-big
  • /test pull-kubernetes-local-e2e
  • /test pull-kubernetes-node-crio-cgrpv2-e2e
  • /test pull-kubernetes-node-crio-cgrpv2-e2e-kubetest2
  • /test pull-kubernetes-node-crio-e2e
  • /test pull-kubernetes-node-crio-e2e-kubetest2
  • /test pull-kubernetes-node-e2e-containerd-alpha-features
  • /test pull-kubernetes-node-e2e-containerd-features
  • /test pull-kubernetes-node-e2e-containerd-features-kubetest2
  • /test pull-kubernetes-node-e2e-containerd-kubetest2
  • /test pull-kubernetes-node-kubelet-credential-provider
  • /test pull-kubernetes-node-kubelet-serial-containerd
  • /test pull-kubernetes-node-kubelet-serial-containerd-kubetest2
  • /test pull-kubernetes-node-kubelet-serial-cpu-manager
  • /test pull-kubernetes-node-kubelet-serial-cpu-manager-kubetest2
  • /test pull-kubernetes-node-kubelet-serial-crio-cgroupv1
  • /test pull-kubernetes-node-kubelet-serial-crio-cgroupv2
  • /test pull-kubernetes-node-kubelet-serial-hugepages
  • /test pull-kubernetes-node-kubelet-serial-memory-manager
  • /test pull-kubernetes-node-kubelet-serial-topology-manager
  • /test pull-kubernetes-node-kubelet-serial-topology-manager-kubetest2
  • /test pull-kubernetes-node-memoryqos-cgrpv2
  • /test pull-kubernetes-node-swap-fedora
  • /test pull-kubernetes-node-swap-fedora-serial
  • /test pull-kubernetes-node-swap-ubuntu-serial
  • /test pull-kubernetes-unit-experimental
  • /test pull-publishing-bot-validate

Use /test all to run the following jobs that were automatically triggered:

  • pull-kubernetes-conformance-kind-ga-only-parallel
  • pull-kubernetes-dependencies
  • pull-kubernetes-e2e-gce-100-performance
  • pull-kubernetes-e2e-gce-ubuntu-containerd
  • pull-kubernetes-e2e-kind
  • pull-kubernetes-e2e-kind-ipv6
  • pull-kubernetes-integration
  • pull-kubernetes-node-e2e-containerd
  • pull-kubernetes-typecheck
  • pull-kubernetes-unit
  • pull-kubernetes-verify
  • pull-kubernetes-verify-govet-levee

In response to this:

/test unit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@soltysh
Copy link
Contributor

soltysh commented Oct 24, 2022

/test pull-kubernetes-unit

soltysh
soltysh approved these changes Oct 24, 2022
View reviewed changes
Copy link
Contributor

@soltysh soltysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve
/label tide/merge-method-squash

@k8s-ci-robot k8s-ci-robot added tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Oct 24, 2022
sttts
sttts reviewed Oct 25, 2022
View reviewed changes
staging/src/k8s.io/client-go/tools/clientcmd/api/helpers_test.go
// client-certificate-data: REDACTED
// client-key-data: REDACTED
// client-certificate-data: DATA+OMITTED
// client-key-data: DATA+OMITTED
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did this really change?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and why

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is for the ShortenConfig() and MinifyConfig() functions. ShortenConfig used to perform the action of redacting the secrets, but no longer handles that process and instead only omits byte data.

@sttts
Copy link
Contributor

sttts commented Nov 8, 2022

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mpuckett159, soltysh, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 8, 2022
@k8s-ci-robot k8s-ci-robot merged commit e721272 into kubernetes:master Nov 8, 2022
SIG Auth Old automation moved this from In Progress to Closed / Done Nov 8, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.26 milestone Nov 8, 2022
jaehnri pushed a commit to jaehnri/kubernetes that referenced this pull request Jan 3, 2023
@mpuckett159 @jaehnri
Update redacting functionality to redact all sensitive info in config…
f823150 
… when printing with view (kubernetes#109189)

* Add RedactSecrets function

* Move RedactSecrets method to existing RawBytesData case

* Update TestRedactSecrets to use new pattern of os.CreateTemp()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

@deads2k deads2k deads2k left review comments

@ardaguclu ardaguclu ardaguclu left review comments

@soltysh soltysh soltysh approved these changes

Assignees

@soltysh soltysh

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubectl area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/backlog Higher priority than priority/awaiting-more-evidence. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
SIG Auth Old
Closed / Done
Milestone
v1.26
Development

Successfully merging this pull request may close these issues.

kubectl config view shows auth-provider secrets
9 participants
@mpuckett159 @k8s-ci-robot @fedebongio @ardaguclu @leilajal @soltysh @k8s-triage-robot @sttts @deads2k