-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hubble: improve security by adding an option to redact API key in Kafka requests (L7) #25844
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the patch! Unfortunately, we can't mutate LogRecord structures so the patch needs to be updated (see comment below).
Also although a breaking change I think it should be true by default cc @rolinh.
Mmh, I'm not sure about that. If L7 visibility was an opt-out feature, then I'd clearly say yes, Hubble should redact Kafka's API keys by default. However, L7 visibility is opt-in and its (security) implications should be well understood when enabling it (note: we should probably update the documentation to make that clear). My point is that even if we try our best to redact sensitive data, there's no guarantee that Hubble will always correctly redact all sensitive data from L7 payloads. Therefore, L7 flows should be treated as sensitive data overall. I also think that if we redact (known) sensitive data by default, then that means we should do it overall which would imply that we also redact all HTTP headers by default and I'm not sure we would want that.
00e1df7
to
f18bf51
Compare
Hi @kaworu, thanks for taking a look at this! I pushed a commit that updates the Kafka unit tests to cover the Kafka API key redact option. LMK if this is what you had in mind. |
f18bf51
to
edcadad
Compare
@rolinh generally agree with all that you wrote
HTTP headers may or may not be sensitive data, while I think we can agree basic auth password and Kafka API key always are. We're already redacting the former unconditionally, so in my opinion doing it by default for the latter would be consistent. Not feeling too strongly about this though. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ioandr for the quick update! The patch LGTM besides the missing doc update 🚀
Sure, I can prepare a short doc as discussed above. However the following is not 100% clear to me: How are we planning to expose this option to end-users? Do we want end-users to control this option via the
IIUC the above command directly updates the We can also add a new argument in the
This is what @ChrsMark has done in his PR that tackles the redaction of HTTP query params, so maybe we want a uniform approach in both. PTAL: https://github.com/cilium/cilium/pull/25746/files |
68ea860
to
086d452
Compare
Hey @pippolo84 @nathanjsweet @asauber @aditighag any chances having a look into this one? It should be a simple one 🙏🏽. Despite being labeled with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! 💯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@kaworu Looks like your concern was addressed? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, we can address this with a small, dedicated issue/PR that will make HTTP password redaction in L7 flows configurable, similar to what we did for URL query parameters and Kafka API key. Redaction of HTTP password was already implemented and non-configurable. As such, we avoided this refactoring to keep our PRs small and concise. Thanks for the review @kaworu |
/test |
+1 on providing a follow-up for |
@ioandr, Can you please rebase this PR on |
51cb34f
to
91929a2
Compare
@ldelossa the only test that is failing is the mergeability one - I suppose due to the LMK if you need any further action from my side. |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, my main feedback here would be that we should list the "allowed" redacted values more clearly in the docs; make it clear that right now there are exactly two options and what they are.
Hi @asauber, thank you for your feedback on this. How about we rephrase the doc as follows: To harden security, Cilium provides the ``--hubble-redact`` option which
accepts a comma-separated list of values that control how Hubble handles
sensitive information present in Layer 7 flows. More specifically, it offers
the following features and values for supported Layer 7 protocols:
* For HTTP: redacting URL query (GET) parameters (``--hubble-redact=http-url-query``)
* For Kafka: redacting API key (``--hubble-redact=kafka-api-key``) |
@ioandr That phrasing looks good to me |
Co-authored-by: ChrsMark <chrismarkou92@gmail.com> Signed-off-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com>
* Extend accepted values for the `--hubble-redact` CLI option * Add unit tests for Kafka in L7 parser * Update the `visibility.rst` document * Update Helm chart templates and values Co-authored-by: ChrsMark <chrismarkou92@gmail.com> Signed-off-by: Ioannis Androulidakis <androulidakis.ioannis@gmail.com>
91929a2
to
675f79e
Compare
/test |
@ldelossa I see that you removed the I see that one test is failing with:
I believe this is something temporary/flaky, that is, the test failure is not caused by the changes of this PR. Maybe we can re-trigger tests? |
/ci-multicluster |
Add option to redact API key in Kafka requests.
TODOS
Refs: #23887
Depends on: #25746