Hubble: improve security by adding an option to redact API key in Kafka requests (L7)

[ioandr]

Add option to redact API key in Kafka requests.

TODOS

• Accept option to redact Kafka API key
• Add business logic to L7 parser
• Add unit tests
• Update Helm charts
• Update docs

Refs: #23887

Depends on: #25746

[kaworu]

Thanks for the PR @ioandr, patch LGTM.

I would like to see a new test ensuring that KafkaRedactAPIKey is honored. Also although a breaking change I think it should be true by default cc @rolinh.

[rolinh]

Thanks for the patch! Unfortunately, we can't mutate LogRecord structures so the patch needs to be updated (see comment below).

Also although a breaking change I think it should be true by default cc @rolinh.

Mmh, I'm not sure about that. If L7 visibility was an opt-out feature, then I'd clearly say yes, Hubble should redact Kafka's API keys by default. However, L7 visibility is opt-in and its (security) implications should be well understood when enabling it (note: we should probably update the documentation to make that clear). My point is that even if we try our best to redact sensitive data, there's no guarantee that Hubble will always correctly redact all sensitive data from L7 payloads. Therefore, L7 flows should be treated as sensitive data overall. I also think that if we redact (known) sensitive data by default, then that means we should do it overall which would imply that we also redact all HTTP headers by default and I'm not sure we would want that.

[ioandr]

I would like to see a new test ensuring that KafkaRedactAPIKey is honored.

Hi @kaworu, thanks for taking a look at this!

I pushed a commit that updates the Kafka unit tests to cover the Kafka API key redact option. LMK if this is what you had in mind.

[kaworu]

@rolinh generally agree with all that you wrote

I also think that if we redact (known) sensitive data by default, then that means we should do it overall which would imply that we also redact all HTTP headers by default and I'm not sure we would want that.

HTTP headers may or may not be sensitive data, while I think we can agree basic auth password and Kafka API key always are. We're already redacting the former unconditionally, so in my opinion doing it by default for the latter would be consistent. Not feeling too strongly about this though.

[kaworu]

Thanks @ioandr for the quick update! The patch LGTM besides the missing doc update 🚀

[ioandr]

Thanks @ioandr for the quick update! The patch LGTM besides the missing doc

Sure, I can prepare a short doc as discussed above.

However the following is not 100% clear to me:

How are we planning to expose this option to end-users? Do we want end-users to control this option via the cilium CLI? i.e.,

$ cilium config set hubble-l7-parser-kafka-redact-api-key true/false

IIUC the above command directly updates the kube-system/cilium-config ConfigMap.

We can also add a new argument in the cilium-agent CLI. Looking at the codebase, this requires the following:

1. Extend Cilium https://github.com/cilium/cilium/blob/main/pkg/option/config.go with an option to control whether Hubble's L7 parser redacts Kafka API keys - we already declare Hubble* options there
2. Set a sane default value for the newly added Hubble L7 option under https://github.com/cilium/cilium/blob/main/pkg/defaults/defaults.go
3. Pass context to the L7 payload parser upon creation: https://github.com/cilium/cilium/blob/main/daemon/cmd/hubble.go#L141
4. Initialize flag in https://github.com/cilium/cilium/blob/main/daemon/cmd/daemon_main.go
5. Possibly update Cilium's Helm chart, so that Cilium's ConfigMap contains this option
6. Update user-facing files as neededHubbleMetrics (e.g., README, Helm Reference, etc.)

This is what @ChrsMark has done in his PR that tackles the redaction of HTTP query params, so maybe we want a uniform approach in both. PTAL: https://github.com/cilium/cilium/pull/25746/files

CC @kaworu @rolinh

[ChrsMark]

Hey @pippolo84 @nathanjsweet @asauber @aditighag any chances having a look into this one? It should be a simple one 🙏🏽. Despite being labeled with dont-merge/wait-until-release it would be great if can have it reviewed and ready for merge :).

[zacharysarah]

LGTM

[pippolo84]

Thanks! 💯

[jrajahalme]

LGTM

[jrajahalme]

@kaworu Looks like your concern was addressed?

[kaworu]

Thanks for the update @ioandr patch LGMT!

@kaworu Looks like your concern was addressed?

Yes, although I still find it inconsistent to redact the HTTP password unconditionally while the Kafka API key redaction is opt-in, but that's arguably out of the scope of this PR.

[ioandr]

Yes, although I still find it inconsistent to redact the HTTP password unconditionally while the Kafka API key redaction is opt-in, but that's arguably out of the scope of this PR.

Indeed, we can address this with a small, dedicated issue/PR that will make HTTP password redaction in L7 flows configurable, similar to what we did for URL query parameters and Kafka API key.

Redaction of HTTP password was already implemented and non-configurable. As such, we avoided this refactoring to keep our PRs small and concise.

Thanks for the review @kaworu

[kaworu]

/test

[ChrsMark]

+1 on providing a follow-up for --hubble-redact=http-basic-auth-password which will be true by default :).

[ldelossa]

@ioandr, Can you please rebase this PR on main and push? Should fix some issues with the tests.

[ioandr]

@ldelossa the only test that is failing is the mergeability one - I suppose due to the dont-merge/wait-until-release label that prevents merge.

LMK if you need any further action from my side.

[kaworu]

/test

[asauber]

LGTM, my main feedback here would be that we should list the "allowed" redacted values more clearly in the docs; make it clear that right now there are exactly two options and what they are.

[ioandr]

LGTM, my main feedback here would be that we should list the "allowed" redacted values more clearly in the docs; make it clear that right now there are exactly two options and what they are.

Hi @asauber, thank you for your feedback on this. How about we rephrase the doc as follows:

To harden security, Cilium provides the ``--hubble-redact`` option which
accepts a comma-separated list of values that control how Hubble handles
sensitive information present in Layer 7 flows. More specifically, it offers
the following features and values for supported Layer 7 protocols:

* For HTTP: redacting URL query (GET) parameters (``--hubble-redact=http-url-query``)
* For Kafka: redacting API key (``--hubble-redact=kafka-api-key``)

[asauber]

@ioandr That phrasing looks good to me

[ldelossa]

/test

[ioandr]

@ldelossa I see that you removed the dont-merge/wait-until-release label so I suppose there is no blocker towards merging this.

I see that one test is failing with:

connectivity test failed: timeout reached waiting lookup for localhost from pod cilium-test/client-6965d549d5-mjxk9 to server on pod cilium-test/echo-other-node-545c9b778b-m6d6t to succeed (last error: context deadline exceeded)
Error: Process completed with exit code 1.

I believe this is something temporary/flaky, that is, the test failure is not caused by the changes of this PR. Maybe we can re-trigger tests?

[kaworu]

/ci-multicluster
EDIT: previous CI run hit #26513