Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hide bearer token in logs #81330

Merged
merged 1 commit into from Aug 14, 2019

Conversation

@tedyu
Copy link
Contributor

commented Aug 13, 2019

What type of PR is this?
/kind bug

What this PR does / why we need it:
As #81114 has stated, we need to mask bearer token in logs.

The code in this PR originated from @liggitt comment in the above issue.

Which issue(s) this PR fixes:
Fixes #81114

Fixes CVE-2019-11250: client-go header logging (at verbosity levels >= 7) now masks `Authorization` header contents

@tedyu tedyu force-pushed the tedyu:hide-auth-hdr branch from d896a57 to 8b46f91 Aug 13, 2019

@k8s-ci-robot k8s-ci-robot added size/M and removed size/S labels Aug 13, 2019

@tedyu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 13, 2019

@liggitt
I have added unit test.

@wanghaoran1988

This comment has been minimized.

Copy link
Member

commented Aug 13, 2019

gofmt failed

@tedyu tedyu force-pushed the tedyu:hide-auth-hdr branch from 8b46f91 to d59903f Aug 13, 2019

@tedyu tedyu force-pushed the tedyu:hide-auth-hdr branch from d59903f to b8a5704 Aug 13, 2019

@k8s-ci-robot k8s-ci-robot added size/L and removed size/M labels Aug 13, 2019

@tedyu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 13, 2019

@liggitt
Your comment has been addressed.

@tedyu tedyu force-pushed the tedyu:hide-auth-hdr branch from b8a5704 to 9aca62b Aug 13, 2019

@tedyu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 13, 2019

@liggitt
Please take another look.

@liggitt

This comment has been minimized.

Copy link
Member

commented Aug 13, 2019

/lgtm
/approve
/retest

@liggitt

This comment has been minimized.

Copy link
Member

commented Aug 13, 2019

/priority important-longterm

@tedyu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 13, 2019

/test pull-kubernetes-integration

@tedyu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 13, 2019

/test pull-kubernetes-e2e-gce

@liggitt

This comment has been minimized.

Copy link
Member

commented Aug 13, 2019

/lgtm cancel

test failure is legitimate. this is using debug logging to check in-cluster-config:

ginkgo.By("trying to use kubectl with invalid token")
_, err = framework.RunHostCmd(ns, simplePodName, "/tmp/kubectl get pods --token=invalid --v=7 2>&1")
e2elog.Logf("got err %v", err)
framework.ExpectError(err)
gomega.Expect(err).To(gomega.ContainSubstring("Using in-cluster namespace"))
gomega.Expect(err).To(gomega.ContainSubstring("Using in-cluster configuration"))
gomega.Expect(err).To(gomega.ContainSubstring("Authorization: Bearer invalid"))
gomega.Expect(err).To(gomega.ContainSubstring("Response Status: 401 Unauthorized"))

@k8s-ci-robot k8s-ci-robot removed the lgtm label Aug 13, 2019

@tedyu tedyu force-pushed the tedyu:hide-auth-hdr branch from 9aca62b to f8c3e9e Aug 13, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Aug 13, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tedyu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tedyu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 13, 2019

@liggitt
test/e2e/kubectl/kubectl.go has been modified to account for the masking.

test/e2e/kubectl/kubectl.go Outdated Show resolved Hide resolved

@tedyu tedyu force-pushed the tedyu:hide-auth-hdr branch from f8c3e9e to 010d838 Aug 13, 2019

@liggitt

This comment has been minimized.

Copy link
Member

commented Aug 13, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Aug 13, 2019

@tedyu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 13, 2019

/test pull-kubernetes-e2e-gce

@tedyu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 13, 2019

/test pull-kubernetes-integration

@tedyu

This comment has been minimized.

Copy link
Contributor Author

commented Aug 14, 2019

I wonder what happened to this PR - #81372 which received approval much later than this got merged.

@k8s-ci-robot k8s-ci-robot merged commit 4441f1d into kubernetes:master Aug 14, 2019

23 checks passed

cla/linuxfoundation tedyu authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-iscsi Skipped.
pull-kubernetes-e2e-gce-iscsi-serial Skipped.
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details

@k8s-ci-robot k8s-ci-robot added this to the v1.16 milestone Aug 14, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.