New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm 3 shows secrets with --dry-run option in clear text #7275
Comments
Hi @darkstarmv. It looks as though Line 141 in 0eaa881
What is your recommended course of action here? We could relax this constraint to only display this output when the @thomastaylor312 any thoughts here? |
i think by default |
I can see the argument, but at this point we can't change that output because of our backwards compatibility guarantees. So anything that we'd want to implement shouldn't break that |
so,
|
So given our backwards compatibility guarantees, we cannot remove the secret output by default. However, we would be more than willing to review and accept any implementation that uses a feature flag (something like --sanitize) to prevent those values from printing. I'll relabel this as a feature and anyone can implement it |
any updates on this? |
We'd rather not have secrets splashed across each jenkins job's console output. Any update on this? A |
No updates. Feel free to contribute! |
@thomastaylor312 i am not quite understand your comment about backwards compatibility. Helm 2 with dry-run did not exposed secrets, and Helm 3 expose them. So actually there is breaking compatibility changes introduced in Helm 3. Also if regular update/run do not expose secrets, i would expect from dry-run same. Because dry-run means: run as regular, but don't apply changes. We see different behavior here. It would be confusing if we would need to use extra flag for getting same behavior for dry-run and regular run. |
I guess this is really depends how we are treating it, as feature or bug? For me this is definitely a bug in dry-run mode. |
I would say "it works as expected". The helm diff plugin have a similar functionality. But there is available flag to explicit mask secrets. |
@EssentialMix has it right. Helm 3 broke the backward compatibility of the Helm 2 --dry-run behavior. Helm 2 --dry-run did not print any output (let alone secrets) as you can see here: $ helm version
Client: &version.Version{SemVer:"v2.16.3", GitCommit:"1ee0254c86d4ed6887327dabed7aa7da29d7eb0d", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.16.3", GitCommit:"1ee0254c86d4ed6887327dabed7aa7da29d7eb0d", GitTreeState:"clean"}
$ helm install . --dry-run
NAME: anxious-marmot
<end-of-output> |
By backwards compatibility we don't mean with Helm 2. The reason for a new major version of Helm was to introduce breaking changes like this one. Now that the feature is in place, our backwards compatibility guarantees have to be honored for all of v3. However, this statement is interesting and deserves conversation:
This is something we'd have to run by other maintainers if we choose to do it because it would be a breaking change in Helm 3, something we do very very rarely and very carefully |
This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs. |
Just adding a me-too to keep it alive and add my input. My biggest issue with this is that when wrapping a helm release into a pipeline using things like Gitlab or Actions etc - then secrets get dumped all over job logs when we are executing a dryrun as one of the tests. This requires then a team to a) be aware its even happening and b) go and manually delete jobs or even entire pipelines in order to hide these credentials. Given that a CI pipeline is a very prominent case for the existence of the dry-run flag in the first place, I feel it should be handled better Its a giant hole - it would be bad enough should a developers SCM account get exposed, but to also gift an attacker then access to secrets / infra credentials is like a nuke :) Can I suggest an opt-in |
I would like to vote a +1 for @sean-ersw suggestion of a --hide-secrets flag. In our pipelines, the quandry is to allow the use of the --dry-run or --debug flag to help our product teams debug their deployments but also at the same time, the concern that @sean-ersw articulates that secrets are printed to the CD (Jenkins) console. For deployments to production environments we may consider not allowing the use of a --debug or --dry-run flag and we may even have to go there for our staging/verify environments. I'd prefer we didn't have to. The ability to enforce in our pipeline code the use of a --hide-secrets flag whenever a --debug or --dry-run flag is provided in a helm command line would a) not restrict our end users current capabilities to use --dry-run or --debug flags and b) tighten this security hole when automating the use of helm in a CD pipeline. I think this is a serious enough consideration for the community to consider a solution, given that the use of helm in automation is common. |
Cool - feel free to contribute a fix. |
Understood @bacongobbler , fair enough reply :) |
Could someone explain why this issue labeled as @bacongobbler do you have any ETA of your MR? 🙏🏼 |
Any updates regarding the issue? This is a CRITICAL security breach, but nobody cares. |
I planing implement this feature in my project helm-assistant. |
Same story here, secrets in logs aren't secrets at all.
One more option for mitigating this using yq: helm template helm/ | yq --yaml-roundtrip '( select(.kind == "Secret") | (.data[]?, .stringData[]?) ) = "[Masked]"' |
For those who run CI pipeline w/o perl, the following is awk cmd solution:
This will replace the secret object output such that all lines after and including "type: Opaque" in the secret output is replaced with [HIDDEN]. I hope this helps those who don't have perl. |
Using the workaround suggested by @bstrdsmkr 👉 #7275 (comment) Created a helm plugin to mask Secret data. |
This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs. |
This looks like there are several suggestions and tools to address the issue. Closing. |
Not sure I agree that this should be closed, as it feels like a pretty flagrant miss from a security perspective. Just because duct tape exists doesn't mean we shouldn't expect our tools to work without them. |
Please reopen the issue. Ith an important problem and I wait to fix it in helm |
I'm curious why there's no open CVE against a blatant security vulnerability that's been open for 3 years. It almost seems like a callout is needed here. |
For others bumping into this.
A way to avoid the secrets showing up in the CLI output is to pipe the result of the command to sed and mutate it:
For us this resulted in the section looking like this in the output:
yet I fully agree with all others here stating, that this should be solved in helm directly |
I know a lot of folks already came here to say how much of a security breach this is, but I'll say it again because it shocks me that Helm as a graduated CNCF project closes this issue like it's nothing after 3.5 years. |
For anyone still experiencing this issue -- this is a helm install --debug ... | sed '/USER-SUPPLIED VALUES:/,$d' We now use this in our deploys, so we can debug when a deploy fails, but not print any secrets/configuration that may reveal sensitive data. |
We used yq, tail and head to redact any element's value in any depth with any name. (Raspberry PI 4, Ubuntu 23.10, helm vesion 3.10.1) helm upgrade --install --dry-run --debug my-release ./path/to/chart/ | tail -n +11 | head -n -4|yq eval '(.. | select(has("name")) | .name) |= "REDACTED"' What is happening:
If we want to redact more than one element value then multiple yq statements can be chained one after another: helm upgrade --install --dry-run --debug my-release ./path/to/chart/ | tail -n +11 | head -n -4 | yq eval '(.. | select(has("name")) | .name) |= "REDACTED"' | yq eval '(.. | select(has("securityContext")) | .securityContext) |= "REDACTED"' This will replace name and securityContext values everywhere with REDACTED. There is probably a better shorter way of writing this, but I found it more readable. Note: Omitting |
There are zero suggestions or tools to address the critical security issue. Rather, there are a several kludges that can be used to workaround it as long as every single team member remembers to use a non-obvious pipe consistently, all the time. That does not address the issue. Adding a |
Do we know the organization or individual who allocated the CVE? This could be useful for tracking. If someone know about it, please let me know. Thanks. |
I opened the CVE. My apologies for not notifying you sooner. |
Thanks for letting me know. |
Output of
helm version
:helm version version.BuildInfo{Version:"v3.0.2", GitCommit:"19e47ee3283ae98139d98460de796c1be1e3975f", GitTreeState:"clean", GoVersion:"go1.13.5"}
Output of
kubectl version
:kubectl version Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-19T11:13:54Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"darwin/amd64"}
Cloud Provider/Platform (AKS, GKE, Minikube etc.):
Issue
helm3
--dry-run
command prints content of the secrets where helm2 just the fact that secret has been created.This creates issue running helm
--dry-run
in CI/CD tools as it exposes secrets.The text was updated successfully, but these errors were encountered: