Add datapolicy tags to pkg/kubelet/

[serathius]

/kind feature

What this PR does / why we need it:
This PR adds "datapolicy" tags to golang structures as described in Defend against logging secrets via static analysis. Those tags will be used by for ensuring this data will not be written to logs by Kubernetes system components.

List of datapolicy tags available:

• security-key - for TLS certificate keys. Keywords: key, cert, pem
• token - for HTTP authorization tokens. Keywords: token, secret, header, auth
• password - anything passwordlike. Keywords: password

Special notes for your reviewer:

Due to size of Kubernetes codebase first iteration of tagging was done based on greping for particular keyword. Please ensure that tagged fields do contain type of sensitive data that matches their tag. Feel free to suggest any additional places that you think should be tagged.

Does this PR introduce a user-facing change?:
No

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/issues/1933

/cc @PurelyApplied
/sig instrumentation security
/priority important-soon
/milestone v1.20

[k8s-ci-robot]

@serathius: GitHub didn't allow me to request PR reviews from the following users: PurelyApplied.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/kind feature

What this PR does / why we need it:
This PR adds "datapolicy" tags to golang structures as described in Kubernetes system components logs sanitization KEP. Those tags will be used by for ensuring this data will not be written to logs written by Kubernetes system components.

List of datapolicy tags available:

• security-key - for TLS certificate keys. Keywords: key, cert, pem
• token - for HTTP authorization tokens. Keywords: token, secret, header, auth
• password - anything passwordlike. Keywords: password

Special notes for your reviewer:

Due to size of Kubernetes codebase first iteration of tagging was done based on greping for particular keyword. Please ensure that tagged fields do contain type of sensitive data that matches their tag. Feel free to suggest any additional places that you think should be tagged.

Does this PR introduce a user-facing change?:
No

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/1753-logs-sanitization

/cc @PurelyApplied
/sig instrumentation security
/priority important-soon
/milestone v1.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[serathius]

/assign @yujuhong

[serathius]

/retest

[serathius]

ping @yujuhong

[serathius]

/milestone clear

[ehashman]

/lgtm

As per #95997 I'm assuming the StaticPodURLHeader headers could potentially contain auth info.

[dashpole]

/triage accepted

[ehashman]

/remove-lifecycle rotten
/reopen

[k8s-ci-robot]

@ehashman: Reopened this PR.

In response to this:

/remove-lifecycle rotten
/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ehashman]

/assign @liggitt

see #107121 (review)

[liggitt]

the URL can contain sensitive info as well as query parameters, right?

[liggitt]

The description links to a KEP marked as deprecated. Is there an updated link or doc describing why we're adding these tags (for static analysis only, I assume)

[liggitt]

/approve
from API perspective, adding the tag is fine
/hold for additional tag on the URL field and an updated PR description to a non-deprecated doc/reference

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ehashman, liggitt, mrunalp, serathius

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/kubelet/OWNERS [liggitt,mrunalp]
• pkg/kubelet/apis/config/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ehashman]

The description links to a KEP marked as deprecated. Is there an updated link or doc describing why we're adding these tags (for static analysis only, I assume)

While the linked KEP is deprecated, these are still used by the stable KEP 1933. Let me see if someone can edit that into the docs release note.

[liggitt]

I updated the PR description to link to that KEP instead, thanks

[ehashman]

/hold cancel

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[serathius]

The description links to a KEP marked as deprecated. Is there an updated link or doc describing why we're adding these tags (for static analysis only, I assume)

Done

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest