Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize CSI RPC request logs #2037

Merged
merged 1 commit into from
May 14, 2024
Merged

Sanitize CSI RPC request logs #2037

merged 1 commit into from
May 14, 2024

Conversation

torredil
Copy link
Member

@torredil torredil commented May 13, 2024
edited
Loading

Is this a bug fix or adding new feature?

Security enhancement

What is this PR about? / Why do we need it?

The EBS CSI Driver does not support Token Requests , however - out of an abundance of caution - this PR addresses the potential vulnerability of sensitive information being logged inadvertently.

The main change is adding a new utility function SanitizeRequest that takes a request object and returns a copy of the request with the "Secrets" field cleared. This function creates a new instance of the same type as the input request, copies all the fields from the original request to the new instance, and sets the "Secrets" field to an empty map if it exists.

What testing is done?

  • make verify && make test
  • CI
  • manual testing

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 13, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 13, 2024
edited
Loading

Code Coverage Diff

File Old Coverage New Coverage Delta
github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/util/util.go 55.6% 62.3% 6.7

AndrewSirenko
AndrewSirenko reviewed May 13, 2024
View reviewed changes
pkg/util/util.go Outdated Show resolved Hide resolved
@torredil torredil force-pushed the sanitize-secrets-24123 branch from 262d24d to a54205c Compare May 13, 2024 17:56
@torredil
Copy link
Member Author

/retest

@torredil torredil force-pushed the sanitize-secrets-24123 branch from a54205c to 8ba608d Compare May 13, 2024 18:43
@torredil
Copy link
Member Author

torredil commented May 13, 2024
edited
Loading

Manually tested by following these steps:

  1. Set controller.logLevel = 4.

  2. Give the external provisioner ClusterRole permissions to get secrets:

  - apiGroups: [ "" ]
    resources: [ "secrets" ]
    verbs: [ "get", "list", "watch" ]
  1. Apply the following secret via kubectl apply -f :
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  namespace: kube-system
type: Opaque
data:
  username: dXNlcm5hbWU=
  password: cGFzc3dvcmQ=
  1. Dynamically provision a volume with the following StorageClass:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: ebs-sc
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
parameters:
  csi.storage.k8s.io/provisioner-secret-name: mysecret
  csi.storage.k8s.io/provisioner-secret-namespace: kube-system

With this change, the secret is not logged.

rdpsin
rdpsin reviewed May 14, 2024
View reviewed changes
pkg/driver/controller.go Outdated Show resolved Hide resolved
@torredil torredil force-pushed the sanitize-secrets-24123 branch from 8ba608d to 49ed6ea Compare May 14, 2024 14:07
@torredil torredil force-pushed the sanitize-secrets-24123 branch from 49ed6ea to 528276f Compare May 14, 2024 14:08
@torredil torredil changed the title Sanitize secrets in log messages Sanitize CSI RPC request logs May 14, 2024
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 14, 2024
@ConnorJC3
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ConnorJC3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 14, 2024
@k8s-ci-robot k8s-ci-robot merged commit 6595211 into kubernetes-sigs:master May 14, 2024
15 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rdpsin rdpsin rdpsin left review comments

@AndrewSirenko AndrewSirenko AndrewSirenko approved these changes

@ConnorJC3 ConnorJC3 Awaiting requested review from ConnorJC3

Assignees

@AndrewSirenko AndrewSirenko

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@torredil @ConnorJC3 @k8s-ci-robot @AndrewSirenko @rdpsin