Description
What happened:
The (optional) tracing configuration, will include url query strings, which often have sensitive information in them for example, if you use an oauth login flow
By default, sensitive information shouldn't be captured in traces
What you expected to happen:
Trace spans don't contain url query parameters
NGINX Ingress controller version v1.12.0
Kubernetes version (use kubectl version): N/A
Environment:
-
Cloud provider or hardware configuration: N/A
-
OS (e.g. from /etc/os-release): N/A
-
Kernel (e.g.
uname -a):N/A -
Install tools:
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
-
Basic cluster related info:
kubectl versionkubectl get nodes -o wide
-
How was the ingress-nginx-controller installed:
-Helm package 4.12.0- If helm was used then please show output of
helm -n <ingresscontrollernamespace> get values <helmreleasename> - If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
- if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances
Relevant part of the vlaues.yaml
- If helm was used then please show output of
controller:
config
otlp-collector-host: SOME_OTEL_HOST
enable-opentelemetry: "true"
otel-service-name: ingress-nginx
otel-sampler: AlwaysOn
otel-sampler-ratio: 1.0-
Current State of the controller:
N/A -
Current state of ingress object, if applicable:
N/A -
Others:
- Any other related information like ;
- copy/paste of the snippet (if applicable)
kubectl describe ...of any custom configmap(s) created and in use- Any other related information that may help
- Any other related information like ;
How to reproduce this issue:
As minimally and precisely as possible. Keep in mind we do not have access to your cluster or application.
Help up us (if possible) reproducing the issue using minikube or kind.
Install minikube/kind
- Minikube https://minikube.sigs.k8s.io/docs/start/
- Kind https://kind.sigs.k8s.io/docs/user/quick-start/
Install the ingress controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml
Install an application that will act as default backend (is just an echo app)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml
Create an ingress (please add any additional annotation required)
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: foo-bar
annotations:
kubernetes.io/ingress.class: nginx
spec:
ingressClassName: nginx # omit this if you're on controller version below 1.0.0
rules:
- host: foo.bar
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: http-svc
port:
number: 80
" | kubectl apply -f -
Configure tracing, and an otel compatible storage
- install jaeger https://www.jaegertracing.io/download/
- Configure nginx to use it, using example configuration above
make a request
POD_NAME=$(k get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o NAME)
kubectl exec -it -n ingress-nginx $POD_NAME -- curl -H 'Host: foo.bar' localhost?my-sensitive-value=hunter2
- Check the trace span in jaeger, and see the sensitive information in the "http.target" and "http.url" fields
Anything else we need to know:
This issue is actually coming from <https://github.com/open-telemetry/opentelemetry-cpp-contrib/blob/main/instrumentation/nginx/README.md > where I can't see a way to configure this plugin to not store the url query parameters. Also, my cpp isn't good enough to try and fix it there
Metadata
Metadata
Assignees
Labels
Type
Projects
Status