Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credentials appear in debug logs #2258

Open
jtwb opened this issue Jul 31, 2024 · 4 comments
Open

Credentials appear in debug logs #2258

jtwb opened this issue Jul 31, 2024 · 4 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done.

Comments

@jtwb
Copy link

jtwb commented Jul 31, 2024
edited
Loading

What happened (please include outputs or screenshots):

Kubernetes-client creates debug log lines for all REST API call response bodies. When using kubernetes-client to create kubernetes Secret objects, this presents an issue as the raw contents of the secret are logged.

The issue can be worked around by forcing kubernetes-client to never generate debug logs via log configuration (e.g. logging.dictConfig).

What you expected to happen:

Calling client.CoreV1Api().create_namespaced_secret() must never log the raw secret.

How to reproduce it (as minimally and precisely as possible):

    body = client.V1Secret(
        metadata=client.V1ObjectMeta(name=secret_name),
        data={"secret_value": base64.b64encode(secret_value.encode()).decode('utf-8')}
    core_client = client.CoreV1Api()
    core_client.create_namespaced_secret(settings.K8S_NAMESPACE, body)

Anything else we need to know?:

This appears to be the offending line:

python/kubernetes/client/rest.py

Lines 234 to 235 in 7a278c7

# log response body
logger.debug("response body: %s", r.data)

Environment:

  • Kubernetes version (kubectl version): v1.30.0
  • OS (e.g., MacOS 10.13.6): Linux 33b1220370b0 6.4.16-linuxkit #1 SMP PREEMPT Thu Nov 16 10:49:20 UTC 2023 aarch64 GNU/Linux
  • Python version (python --version): Python 3.11.3
  • Python client version (pip list | grep kubernetes): 29.0.0
@jtwb jtwb added the kind/bug Categorizes issue or PR as related to a bug. label Jul 31, 2024
@roycaihw
Copy link
Member

Does kubectl -v=9 exclude some part of Secret content from the HTTP body logging?

@roycaihw
Copy link
Member

I think the debug log logging all HTTP request and response body is working as intended. Marking this as a feature request.

@roycaihw roycaihw added kind/feature Categorizes issue or PR as related to a new feature. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. and removed kind/bug Categorizes issue or PR as related to a bug. labels Aug 14, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 12, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jtwb @roycaihw @k8s-ci-robot @k8s-triage-robot