Merge pull request #96997 from PurelyApplied/update-levee-config

[KEP-1933] Update config for go-flow-levee analysis
This commit is contained in:
Kubernetes Prow Robot 2020-12-10 14:53:22 -08:00 committed by GitHub
commit 58a1f1658d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,11 +1,28 @@
# Copyright 2015 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This file holds configuration for taint propagation analysis of Kubernetes source via go-flow-levee.
# It defines sources which may contain credentials and sinks where these should not be logged.
# Sources may be identified by the FieldTags element, or by matching package, type, and field explicitly in the Sources element.
# Sanitizers permit sources to safely reach a sink.
# False positives may be suppressed in the Exclude block.
# Note that `*RE` keys have regexp values.
# For additional details, see KEP-1933.
---
# These field tags were introduced by KEP-1753 to fields which may contain credentials
# These field tags were introduced by KEP-1753 to indicate fields which may contain credentials
FieldTags:
- Key: "datapolicy"
Val: "security-key"
@ -17,44 +34,128 @@ FieldTags:
# This preliminary collection of source types should be removed once
# KEP-1753 adds tags to the relevant fields.
Sources:
- PackageRE: ""
TypeRE: "^(?:admin)?Secret$|Token"
FieldRE: ""
- PackageRE: "k8s.io/client-go/tools/clientcmd/api(?:/v1)?"
TypeRE: "^(?:Named)?AuthInfo$"
FieldRE: ""
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
TypeRE: "DockerConfigEntry"
FieldRE: "Password"
- PackageRE: "k8s.io/client-go/transport"
TypeRE: "requestInfo"
FieldRE: "RequestHeaders"
- PackageRE: "k8s.io/kubernetes/pkg/volume/rbd"
TypeRE: "rbdMounter"
FieldRE: "adminSecret"
- PackageRE: "^k8s.io/client-go/rest$"
TypeRE: "^TLSClientConfig$"
FieldRE: "Password|BearerToken$|"
- PackageRE: "^k8s.io/client-go/rest$"
TypeRE: "^Config$"
FieldRE: "Password|BearerToken$|"
# The following fields are tagged in #95994
- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
TypeRE: "Config"
FieldRE: "Password"
- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
TypeRE: "ConfigFile"
FieldRE: "Global" # Global is of unnamed type, contains the field Password.
# The following fields are tagged in #95997
- PackageRE: "k8s.io/kubelet/config/v1beta1"
TypeRE: "KubeletConfiguration"
FieldRE: "StaticPodURLHeader"
# The following fields are tagged in #95998
- PackageRE: "k8s.io/kube-scheduler/config/v1"
TypeRE: "ExtenderTLSConfig"
FieldRE: "KeyData"
# The following fields are tagged in #95600
- PackageRE: "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
TypeRE: "AuthConfig"
FieldRE: "Password|IdentityToken|RegistryToken"
# The following fields are tagged in #96002
- PackageRE: "k8s.io/apiserver/pkg/apis/apiserver" # multiple versions
TypeRE: "TLSConfig"
FieldRE: "ClientKey"
- PackageRE: "k8s.io/apiserver/pkg/apis/config" # multiple versions
TypeRE: "Key"
FieldRE: "Secret"
- PackageRE: "k8s.io/apiserver/pkg/authentication/request/headerrequest"
TypeRE: "requestHeaderBundle"
FieldRE: "UsernameHeaders|GroupHeaders"
- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
TypeRE: "certKeyContent"
FieldRE: "key"
- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
TypeRE: "DynamicCertKeyPairContent"
FieldRE: "certKeyPair"
- PackageRE: "k8s.io/apiserver/pkg/server/options"
TypeRE: "RequestHeaderAuthenticationOptions"
FieldRE: "UsernameHeaders|GroupHeaders"
- PackageRE: "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
TypeRE: "endpoint"
FieldRE: "AccessToken"
# The following fields are tagged in #96003
- PackageRE: "k8s.io/cli-runtime/pkg/genericclioptions"
TypeRE: "ConfigFlags"
FieldRE: "BearerToken|Password"
# The following fields are tagged in #96004
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/apis/config"
TypeRE: "KubeletConfiguration"
FieldRE: "StaticPodURLHeader"
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/client"
TypeRE: "KubeletClientConfig"
FieldRE: "BearerToken"
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/cri/streaming"
TypeRE: "cacheEntry"
FieldRE: "token"
# The following fields are tagged in #96005
- PackageRE: "k8s.io/api/authentication/v1"
TypeRE: "TokenReviewSpec|TokenRequestStatus"
FieldRE: " Token"
- PackageRE: "k8s.io/api/authentication/v1beta1"
TypeRE: "TokenReviewSpec"
FieldRE: " Token"
# The following fields are tagged in #96007
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/azure"
TypeRE: "acrAuthResponse"
FieldRE: "RefreshToken"
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
TypeRE: "DockerConfigEntry"
FieldRE: "Password"
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
TypeRE: "DockerConfigJSON"
FieldRE: "Auths|HTTPHeaders"
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
TypeRE: "dockerConfigEntryWithAuth"
FieldRE: "Password|Auth"
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp"
TypeRE: "tokenBlob"
FieldRE: "AccessToken"
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
TypeRE: "AuthConfig"
FieldRE: "Password|Auth|IdentityToken|RegistryToken"
# The following fields are tagged in #96008
- PackageRE: "k8s.io/kubernetes/pkg/controller/certificates/authority"
TypeRE: "CertificateAuthority"
FieldRE: "RawKey"
# Sinks are functions that should not be called with source or source-tainted arguments.
# This configuration should capture all log unfiltered log calls.
Sinks:
- PackageRE: "\bk?log\b"
ReceiverRE: ""
MethodRE: "Info|Warning|Error|Fatal|Exit"
- PackageRE: "\bk?log\b"
ReceiverRE: "Verbose"
MethodRE: "Info|Error"
- PackageRE: "k?log"
# Empty regexp receiver will match both top-level klog functions and klog.Verbose methods.
ReceiverRE: ""
MethodRE: "Info|Warning|Error|Fatal|Exit"
# Sanitizers permit a source to reach a sink by explicitly removing the source data.
Sanitizers:
- PackageRE: "k8s.io/client-go/transport"
MethodRE: "maskValue"
# maskValue strips bearer tokens from request headers
- PackageRE: "k8s.io/client-go/transport"
MethodRE: "maskValue"
# False positives may be suppressed here.
# Exclude reporting within a given function by specifying it similar to Sinks, i.e.,
# PackageRE | ReceiverRE | MethodRE regexp
Exclude: []
Exclude:
# Corrected in #97000
- PackageRE: "k8s.io/kubernetes/cmd/kubelet/app"
# Regexp matches anonymized inner function
MethodRE: "initConfigz|NewKubeletCommand|run"
# Corrected by go-flow-levee version update in #96999
- PackageRE: "pkg/credentialprovider"
ReceiverRE: "BasicDockerKeyring"
MethodRE: "Add"
# Corrected in #96576.
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp"
ReceiverRE: "containerRegistryProvider"
MethodRE: "Provide"