-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: censor sensitive log messages #407
Conversation
When working with secrets and there's an error when applying/patching the resource, we end up printing the full resource. The full resource may contain secret material. To prevent logging secret material we first check if we're about to add a secret, if we are and we errror out then print a censored error message. Signed-off-by: Bheesham Persaud <me@bheesham.com>
First-time contributor high five ✋ |
I'm wondering how people could more easily debug this if one of many (e.g. 1000+) objects in Git is malformed. |
I agree that redaction of sensitive information would be a valuable addition to kustomize-controller, however I believe this PR is problematic as it may reduce the data available for diagnosing an issue with the resources that kustomize-controller tries to create. If there's 100 resources in the Kustomization and one of them is a secret, all you'll see is "contains sensitive material" even though only one of them causes this failure. You'll now have to find out which one yourself. |
IMO storing secrets in plain text in Git should never happen, using either SOPS or Sealed Secrets would prevent malformed secret yamls for reaching the repo as you can't encode them. |
That may be true, but relying on it would not be wise. For one thing, an invalid field value of the kind SOPS would catch might not be the only reason the application fails. |
✋ Thanks :) The tests are failing, though I can't reproduce locally. I'll look into this more.
That's not entirely true: the test YAML file I used was based on the PGP encrypted file and SOPS seemed happy with it. It seems while SOPS prevents invalid YAML it won't prevent K8s-unfriendly YAML. Though, my approach to using SOPS may be wrong. The commands I added in my testing section aren't super accurate: specifically the
Good point! My approach is heavy-handed. Admittedly, I didn't even consider that kustomize can generate 100+ resources 😮💨 . I'll reconsider my approach. Many thanks for the review, all! As an aside: I'm heading out on vacation until Sep 7 so I'll be temporarily dropping this. This is being tracked with an internal ticket and I'll pick it back up when I'm back, if a teammate doesn't take over for me before then. |
@auvik-bheesham I think we need to parse the |
I'm using notification controller in pair, today on slack I've observed:
Not sure if your patch will fix that as well or do we need something more to do on notification controller site as well? |
@michalschott That's not something I tested, so I can't say for certain. I like your approach in #420 more than the one I've tried here. Mind if I close this MR off and defer to yours instead? |
@auvik-bheesham #420 has been merged and it will part of the next flux release later today. |
Excellent! Thank you! :) |
When working with secrets and there's an error when applying/patching
the resource, we end up printing the full resource. The full resource
may contain secret material.
To prevent logging secret material we first check if we're about to add
a secret, if we are and we errror out then print a censored error
message.
For testing I used a secrets file which was incorrectly formatted:
Note: the
secret: 0
bit is invalid: Kubernetes expects a string.Before:
After: