Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Defend against logging secrets via static analysis #1933

Closed
PurelyApplied opened this issue Aug 12, 2020 · 44 comments
Closed

Defend against logging secrets via static analysis #1933

PurelyApplied opened this issue Aug 12, 2020 · 44 comments
Assignees
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/security Categorizes an issue or PR as relevant to SIG Security. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status

Comments

@PurelyApplied
Copy link
Contributor

PurelyApplied commented Aug 12, 2020

Enhancement Description

  • One-line enhancement description (can be used as a release note):
    Defend against logging secrets via static analysis
  • Kubernetes Enhancement Proposal: here
  • Primary contact (assignee): @PurelyApplied
  • Responsible SIGs: @sig-instrumentation
  • Enhancement target (which target equals to which milestone):
    • Alpha release target (1.20)
    • Beta release target (1.21)
    • Stable release target (Pending verification of test stability at scale)

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

History:

@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Aug 12, 2020
@PurelyApplied
Copy link
Contributor Author

PurelyApplied commented Aug 13, 2020

/sig instrumentation
/sig auth

/wg security audit

@k8s-ci-robot k8s-ci-robot added the sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. label Aug 13, 2020
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Aug 13, 2020

@PurelyApplied: The label(s) wg/security, wg/audit cannot be applied, because the repository doesn't have them

In response to this:

/sig instrumentation
/sig auth

/wg security audit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 13, 2020
@PurelyApplied
Copy link
Contributor Author

PurelyApplied commented Aug 13, 2020

/wg "security audit"

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Aug 13, 2020

@PurelyApplied: The label(s) wg/"security, wg/audit" cannot be applied, because the repository doesn't have them

In response to this:

/wg "security audit"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@JayBeale
Copy link

JayBeale commented Aug 13, 2020

Looks like @wg-security-audit tag doesn't exist yet - I'll see if we can do something about that.

@PurelyApplied PurelyApplied changed the title Defend against logging secrets via static analysis in Prow Defend against logging secrets via static analysis Aug 17, 2020
@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Sep 13, 2020

Hi @PurelyApplied

Enhancements Lead here. Any plans for this to be alpha/beta/stable in 1.20?

Thanks!
Kirsten

@ehashman
Copy link
Member

ehashman commented Sep 17, 2020

We would like to see this included in 1.20 with #1753, assuming it is approved and merged before the enhancements freeze.

@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Sep 17, 2020

great we will track for now and just let us know if anything changes. thank you!

/milestone v1.20

@k8s-ci-robot k8s-ci-robot added this to the v1.20 milestone Sep 17, 2020
@kikisdeliveryservice kikisdeliveryservice added stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Sep 17, 2020
@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Sep 17, 2020

As a note, since I see that the KEP draft is provisional to be included in a release by enhancements freeze:

The KEP must be merged in an implementable state
The KEP must have test plans
The KEP must have graduation criteria.

@PurelyApplied
Copy link
Contributor Author

PurelyApplied commented Sep 17, 2020

Duly noted.

I've updated the KEP's Graduation Criteria to reflect a 1.20 target for Alpha.

Proof-of-concept implementations can be found at /kubernetes#94661 and /test-infra#19181. We plan to iterate on these soon, including fleshing out testing / test plans on both sides.

Graduation criteria has been clarified.

@PurelyApplied
Copy link
Contributor Author

PurelyApplied commented Sep 17, 2020

Rather belatedly...

/wg security-audit

@k8s-ci-robot k8s-ci-robot added the wg/security-audit Categorizes an issue or PR as relevant to WG Security Audit. label Sep 17, 2020
@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Sep 17, 2020

Duly noted.

I've updated the KEP's Graduation Criteria to reflect a 1.20 target for Alpha.

Proof-of-concept implementations can be found at /kubernetes#94661 and /test-infra#19181. We plan to iterate on these soon, including fleshing out testing / test plans on both sides.

Graduation criteria has been clarified.

Awesome, thank you!! Also the KEP should be updated to reflect an implementable state by Enhancements Freeze (Oct 6th) it is currently provisional: https://github.com/kubernetes/enhancements/pull/1936/files#diff-83bc478e0a3c00961b8e714c26c541ed
👍

@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Oct 6, 2020

#1936 merged! Updating sheet to tracked!

@mikejoh
Copy link

mikejoh commented Oct 12, 2020

Hi @PurelyApplied ,

Since your Enhancement is scheduled to be in 1.20, please keep in mind the important upcoming dates:

As a reminder, please link all of your k/k PR as well as docs PR to this issue so we can track them.

Regards,
Mikael

@annajung
Copy link
Member

annajung commented Oct 19, 2020

Hello @PurelyApplied 👋 , 1.20 Docs lead here.

Does this enhancement work planned for 1.20 require any new docs or modification to existing docs?

If so, please follows the steps here to open a PR against dev-1.20 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Nov 6th

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

@annajung
Copy link
Member

annajung commented Oct 30, 2020

Hi @PurelyApplied

The docs placeholder deadline is almost here. Please make sure to create a placeholder PR against the dev-1.20 branch in the k/website before the deadline

Also, please keep in mind the important upcoming dates:

As a reminder, please link all of your k/k PR as well as docs PR to this issue for the release team to track.

@PurelyApplied
Copy link
Contributor Author

PurelyApplied commented Nov 5, 2020

@annajung Thanks for the reminder.

None of the other verify-* tasks have docs. While it could be argued that they should, I think we'll tackle this documentation debt after 1.20.

@annajung
Copy link
Member

annajung commented Nov 5, 2020

Thanks for the update! I will update the tracking sheet accordingly.
Please consider docs higher priority when this feature graduates to beta and/or stable. Thank you!

@JamesLaverack JamesLaverack removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Apr 25, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Jul 26, 2021

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 26, 2021
@PurelyApplied
Copy link
Contributor Author

PurelyApplied commented Jul 27, 2021

/remove-lifecycle stale

I'm overdue to push an update, but it's on my plate. I'll try to get to it this week.

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 27, 2021
@ehashman
Copy link
Member

ehashman commented Sep 2, 2021

/milestone v1.23

ack from SIG Instrumentation

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.21, v1.23 Sep 2, 2021
@ehashman
Copy link
Member

ehashman commented Sep 2, 2021

/stage stable

@k8s-ci-robot k8s-ci-robot added stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status and removed stage/beta Denotes an issue tracking an enhancement targeted for Beta status labels Sep 2, 2021
@gracenng
Copy link
Member

gracenng commented Nov 9, 2021

Hi @PurelyApplied, 1.23 Enhancements Shadow here.

Just a friendly reminder that Code Freeze is approaching on November 16th at 6:00 pm PST. The current status of this enhancement is at-risk. Please kindly link all related code and docs PRs so the release team can easily track you.

Thanks!

@gracenng
Copy link
Member

gracenng commented Nov 17, 2021

Hi @PurelyApplied , could you please point me to your k/k code PR's for the 1.23 relase. Is it:
kubernetes/kubernetes#94661
kubernetes/kubernetes#96235
If so, the enhancement could be marked as code complete. Thanks

@PurelyApplied
Copy link
Contributor Author

PurelyApplied commented Nov 17, 2021

Hi @gracenng, sorry I missed last week's ping. Yes, all KEP-1933 code in k/k is the k/k/hack/tools/ as test targets for Prow.
The test target was introduce in kubernetes/test-infra#19181, with minor changes to that config when graduating alpha -> beta -> ga.

Is code complete something I need to mark in the yaml? Or is that something tracked by y'all as part of release management?

@gracenng
Copy link
Member

gracenng commented Nov 17, 2021

Hi @PurelyApplied, code complete is the disired state before Code Freeze, no need to worry about it. Everything looks good, I've updated this enhancements status to Tracked
Thanks!

@gracenng gracenng removed this from the v1.23 milestone Jan 9, 2022
@gracenng gracenng removed the tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team label Jan 9, 2022
@gracenng
Copy link
Member

gracenng commented Jan 9, 2022

Hi @PurelyApplied ,

1.24 Enhancements Lead here. Could you please update this enhancements's KEP status to implemented, then close this issue?

Thanks :)

@k8s-triage-robot
Copy link

k8s-triage-robot commented Apr 9, 2022

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 9, 2022
@k8s-triage-robot
Copy link

k8s-triage-robot commented May 9, 2022

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 9, 2022
@PurelyApplied
Copy link
Contributor Author

PurelyApplied commented May 9, 2022

Oooof. Four months late, but yeah, this has been implemented and landed for a good while now. Relabeling and closing.

/stage implemented

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/security Categorizes an issue or PR as relevant to SIG Security. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
None yet
Development

No branches or pull requests