✨ (kustomize/v1) reduce the debug log level for the sidecar container kube-rbac-proxy from 10 to 0 #2435
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @geezyx. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/cc @camilamacedo86 |
| @@ -15,7 +15,6 @@ spec: | |||
| - "--secure-listen-address=0.0.0.0:8443" | |||
| - "--upstream=http://127.0.0.1:8080/" | |||
| - "--logtostderr=true" | |||
| - "--v=10" | |||
There was a problem hiding this comment.
WDYT about we change to 0, then we would have the same result but would still easier for users know how to debug that if/when required?
There was a problem hiding this comment.
I like that! I went back and forth between removing and setting it. I'll update to use 0 so that it's more clear that the flag is available if needed. Thank you.
There was a problem hiding this comment.
Done, apologies for the force pushes I had the wrong git config setup 🤦
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
geezyx
force-pushed
the
master
branch
2 times, most recently
from
2fcb5e4
to
acae42a
Compare
k8s-ci-robot
added
cncf-cla: yes
There was a problem hiding this comment.
That is great @geezyx.
Thank you for your contribution.
See that we use the title and mojos to generate the release note. In this way, could you please fix that? :sparkles: (kustomize/v1) reduce the debug log level for the sidecar container kube-rbac-proxy from 10 to 0
More info: https://github.com/kubernetes-sigs/kubebuilder/blob/master/CONTRIBUTING.md#pr-process
Also, before we get the PR merged we need to rebase the commits. Could you please do that?
geezyx
changed the title
update testdata to reflect scaffolding change keep --v but set to 0 so users are aware of the flag
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: camilamacedo86, geezyx The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Having v=10 dumps sensitive information like tokens, resulting in information leakage if these logs are obtained. The Kubebuilder team also made this fix. They are also using v=0 now. Ref: kubernetes-sigs/kubebuilder#2435 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2136852 Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
Having v=10 dumps sensitive information like tokens, resulting in information leakage if these logs are obtained. The Kubebuilder team also made this fix. They are also using v=0 now. Ref: kubernetes-sigs/kubebuilder#2435 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2136852 Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
Having v=10 dumps sensitive information like tokens, resulting in information leakage if these logs are obtained. The Kubebuilder team also made this fix. They are also using v=0 now. Ref: kubernetes-sigs/kubebuilder#2435 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2136852 Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
Having v=10 dumps sensitive information like tokens, resulting in information leakage if these logs are obtained. The Kubebuilder team also made this fix. They are also using v=0 now. Ref: kubernetes-sigs/kubebuilder#2435 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2136852 Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
This change removes the debug logging flag from the kube-rbac-proxy patch that is generated by default, fixing #2434.
As mentioned in the issue, debug logging outputs bearer tokens of the service account that kube-rbac-proxy is using, which can be used to authenticate and perform any authorized actions that your manager is configured for.
I suppose it's okay to assume that folks using kubebuilder should be auditing the generated configs and catching this type of thing, but for folks (like me) that didn't catch it, defaulting to normal logging levels can prevent some headache.