Defend against logging secrets via static analysis

[PurelyApplied]

Enhancement Description

• One-line enhancement description (can be used as a release note):
  Defend against logging secrets via static analysis
• Kubernetes Enhancement Proposal: here
• Primary contact (assignee): @PurelyApplied
• Responsible SIGs: @sig-instrumentation
• Enhancement target (which target equals to which milestone):
  • Alpha release target (1.20)
  • Beta release target (1.21)
  • Stable release target (Pending verification of test stability at scale)

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

History:

• Initial Proposal: KEP-1933: Defend Against Logging Secrets via Static Analysis #1936
• Introduction of test target: [KEP-1933] Provide hack/ testing target for static analysis. kubernetes#94661
• Correction of premature blocking via accidental inclusion in verify-all.sh: Exclude KEP-1933 from verify-all.sh until after alpha status. kubernetes#96235
• Introduction of non-blocking Prow target: [KEP-1933] Prow Job test-infra#19181
• PRR: [KEP-1933] Production Readiness Review. #2473

[PurelyApplied]

/sig instrumentation
/sig auth

/wg security audit

[k8s-ci-robot]

@PurelyApplied: The label(s) wg/security, wg/audit cannot be applied, because the repository doesn't have them

In response to this:

/sig instrumentation
/sig auth

/wg security audit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[PurelyApplied]

/wg "security audit"

[k8s-ci-robot]

@PurelyApplied: The label(s) wg/"security, wg/audit" cannot be applied, because the repository doesn't have them

In response to this:

/wg "security audit"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[JayBeale]

Looks like @wg-security-audit tag doesn't exist yet - I'll see if we can do something about that.

[kikisdeliveryservice]

Hi @PurelyApplied

Enhancements Lead here. Any plans for this to be alpha/beta/stable in 1.20?

Thanks!
Kirsten

[ehashman]

We would like to see this included in 1.20 with #1753, assuming it is approved and merged before the enhancements freeze.

[kikisdeliveryservice]

great we will track for now and just let us know if anything changes. thank you!

/milestone v1.20

[kikisdeliveryservice]

As a note, since I see that the KEP draft is provisional to be included in a release by enhancements freeze:

The KEP must be merged in an implementable state
The KEP must have test plans
The KEP must have graduation criteria.

[PurelyApplied]

Duly noted.

I've updated the KEP's Graduation Criteria to reflect a 1.20 target for Alpha.

Proof-of-concept implementations can be found at /kubernetes#94661 and /test-infra#19181. We plan to iterate on these soon, including fleshing out testing / test plans on both sides.

Graduation criteria has been clarified.

[PurelyApplied]

Rather belatedly...

/wg security-audit

[kikisdeliveryservice]

Duly noted.

I've updated the KEP's Graduation Criteria to reflect a 1.20 target for Alpha.

Proof-of-concept implementations can be found at /kubernetes#94661 and /test-infra#19181. We plan to iterate on these soon, including fleshing out testing / test plans on both sides.

Graduation criteria has been clarified.

Awesome, thank you!! Also the KEP should be updated to reflect an implementable state by Enhancements Freeze (Oct 6th) it is currently provisional: https://github.com/kubernetes/enhancements/pull/1936/files#diff-83bc478e0a3c00961b8e714c26c541ed
👍

[kikisdeliveryservice]

#1936 merged! Updating sheet to tracked!

[mikejoh]

Hi @PurelyApplied ,

Since your Enhancement is scheduled to be in 1.20, please keep in mind the important upcoming dates:

• Friday, Nov 6th: Week 8 - Docs Placeholder PR deadline
• Thursday, Nov 12th: Week 9 - Code Freeze

As a reminder, please link all of your k/k PR as well as docs PR to this issue so we can track them.

Regards,
Mikael

[annajung]

Hello @PurelyApplied 👋 , 1.20 Docs lead here.

Does this enhancement work planned for 1.20 require any new docs or modification to existing docs?

If so, please follows the steps here to open a PR against dev-1.20 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Nov 6th

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

[annajung]

Hi @PurelyApplied

The docs placeholder deadline is almost here. Please make sure to create a placeholder PR against the dev-1.20 branch in the k/website before the deadline

Also, please keep in mind the important upcoming dates:

• Friday, Nov 6th: Week 8 - Docs Placeholder PR deadline
• Thursday, Nov 12th: Week 9 - Code Freeze
• Monday, Nov 23rd: Week 11 - Docs PR Ready for Review

As a reminder, please link all of your k/k PR as well as docs PR to this issue for the release team to track.

[PurelyApplied]

@annajung Thanks for the reminder.

None of the other verify-* tasks have docs. While it could be argued that they should, I think we'll tackle this documentation debt after 1.20.

[annajung]

Thanks for the update! I will update the tracking sheet accordingly.
Please consider docs higher priority when this feature graduates to beta and/or stable. Thank you!

[ehashman]

/stage stable

[gracenng]

Hi @PurelyApplied, 1.23 Enhancements Shadow here.

Just a friendly reminder that Code Freeze is approaching on November 16th at 6:00 pm PST. The current status of this enhancement is at-risk. Please kindly link all related code and docs PRs so the release team can easily track you.

Thanks!

[gracenng]

Hi @PurelyApplied , could you please point me to your k/k code PR's for the 1.23 relase. Is it:
kubernetes/kubernetes#94661
kubernetes/kubernetes#96235
If so, the enhancement could be marked as code complete. Thanks

[PurelyApplied]

Hi @gracenng, sorry I missed last week's ping. Yes, all KEP-1933 code in k/k is the k/k/hack/tools/ as test targets for Prow.
The test target was introduce in kubernetes/test-infra#19181, with minor changes to that config when graduating alpha -> beta -> ga.

Is code complete something I need to mark in the yaml? Or is that something tracked by y'all as part of release management?

[gracenng]

Hi @PurelyApplied, code complete is the disired state before Code Freeze, no need to worry about it. Everything looks good, I've updated this enhancements status to Tracked
Thanks!

[gracenng]

Hi @PurelyApplied ,

1.24 Enhancements Lead here. Could you please update this enhancements's KEP status to implemented, then close this issue?

Thanks :)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[PurelyApplied]

Oooof. Four months late, but yeah, this has been implemented and landed for a good while now. Relabeling and closing.

/stage implemented

[pohly]

Is the work really complete? Is verify-govet-levee.sh run somewhere?

It's not part of pull-kubernetes-verify:

https://github.com/kubernetes/kubernetes/blob/e519921666b760b782b46a29179997ab97671068/hack/make-rules/verify.sh#L36

[pohly]

According to the KEP:

Stable
Analysis runs as a blocking presubmit test.

I don't think it does... so:

/reopen

[k8s-ci-robot]

@pohly: Reopened this issue.

In response to this:

According to the KEP:

Stable
Analysis runs as a blocking presubmit test.

I don't think it does... so:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pohly]

It did run, in its own job. I'm currently cleaning that up. I suppose once that is complete, we can consider this issue resolved.