diff --git a/hack/testdata/levee/levee-config.yaml b/hack/testdata/levee/levee-config.yaml index d2256ec1cec..8310855138b 100644 --- a/hack/testdata/levee/levee-config.yaml +++ b/hack/testdata/levee/levee-config.yaml @@ -1,11 +1,28 @@ +# Copyright 2015 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # This file holds configuration for taint propagation analysis of Kubernetes source via go-flow-levee. # It defines sources which may contain credentials and sinks where these should not be logged. # Sources may be identified by the FieldTags element, or by matching package, type, and field explicitly in the Sources element. # Sanitizers permit sources to safely reach a sink. # False positives may be suppressed in the Exclude block. # Note that `*RE` keys have regexp values. + +# For additional details, see KEP-1933. --- -# These field tags were introduced by KEP-1753 to fields which may contain credentials + +# These field tags were introduced by KEP-1753 to indicate fields which may contain credentials FieldTags: - Key: "datapolicy" Val: "security-key" @@ -17,44 +34,128 @@ FieldTags: # This preliminary collection of source types should be removed once # KEP-1753 adds tags to the relevant fields. Sources: - - PackageRE: "" - TypeRE: "^(?:admin)?Secret$|Token" - FieldRE: "" - - PackageRE: "k8s.io/client-go/tools/clientcmd/api(?:/v1)?" - TypeRE: "^(?:Named)?AuthInfo$" - FieldRE: "" - - PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" - TypeRE: "DockerConfigEntry" - FieldRE: "Password" - - PackageRE: "k8s.io/client-go/transport" - TypeRE: "requestInfo" - FieldRE: "RequestHeaders" - - PackageRE: "k8s.io/kubernetes/pkg/volume/rbd" - TypeRE: "rbdMounter" - FieldRE: "adminSecret" - - PackageRE: "^k8s.io/client-go/rest$" - TypeRE: "^TLSClientConfig$" - FieldRE: "Password|BearerToken$|" - - PackageRE: "^k8s.io/client-go/rest$" - TypeRE: "^Config$" - FieldRE: "Password|BearerToken$|" +# The following fields are tagged in #95994 +- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere" + TypeRE: "Config" + FieldRE: "Password" +- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere" + TypeRE: "ConfigFile" + FieldRE: "Global" # Global is of unnamed type, contains the field Password. + +# The following fields are tagged in #95997 +- PackageRE: "k8s.io/kubelet/config/v1beta1" + TypeRE: "KubeletConfiguration" + FieldRE: "StaticPodURLHeader" + +# The following fields are tagged in #95998 +- PackageRE: "k8s.io/kube-scheduler/config/v1" + TypeRE: "ExtenderTLSConfig" + FieldRE: "KeyData" + +# The following fields are tagged in #95600 +- PackageRE: "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" + TypeRE: "AuthConfig" + FieldRE: "Password|IdentityToken|RegistryToken" + +# The following fields are tagged in #96002 +- PackageRE: "k8s.io/apiserver/pkg/apis/apiserver" # multiple versions + TypeRE: "TLSConfig" + FieldRE: "ClientKey" +- PackageRE: "k8s.io/apiserver/pkg/apis/config" # multiple versions + TypeRE: "Key" + FieldRE: "Secret" +- PackageRE: "k8s.io/apiserver/pkg/authentication/request/headerrequest" + TypeRE: "requestHeaderBundle" + FieldRE: "UsernameHeaders|GroupHeaders" +- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates" + TypeRE: "certKeyContent" + FieldRE: "key" +- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates" + TypeRE: "DynamicCertKeyPairContent" + FieldRE: "certKeyPair" +- PackageRE: "k8s.io/apiserver/pkg/server/options" + TypeRE: "RequestHeaderAuthenticationOptions" + FieldRE: "UsernameHeaders|GroupHeaders" +- PackageRE: "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc" + TypeRE: "endpoint" + FieldRE: "AccessToken" + +# The following fields are tagged in #96003 +- PackageRE: "k8s.io/cli-runtime/pkg/genericclioptions" + TypeRE: "ConfigFlags" + FieldRE: "BearerToken|Password" + +# The following fields are tagged in #96004 +- PackageRE: "k8s.io/kubernetes/pkg/kubelet/apis/config" + TypeRE: "KubeletConfiguration" + FieldRE: "StaticPodURLHeader" +- PackageRE: "k8s.io/kubernetes/pkg/kubelet/client" + TypeRE: "KubeletClientConfig" + FieldRE: "BearerToken" +- PackageRE: "k8s.io/kubernetes/pkg/kubelet/cri/streaming" + TypeRE: "cacheEntry" + FieldRE: "token" + +# The following fields are tagged in #96005 +- PackageRE: "k8s.io/api/authentication/v1" + TypeRE: "TokenReviewSpec|TokenRequestStatus" + FieldRE: " Token" +- PackageRE: "k8s.io/api/authentication/v1beta1" + TypeRE: "TokenReviewSpec" + FieldRE: " Token" + +# The following fields are tagged in #96007 +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/azure" + TypeRE: "acrAuthResponse" + FieldRE: "RefreshToken" +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" + TypeRE: "DockerConfigEntry" + FieldRE: "Password" +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" + TypeRE: "DockerConfigJSON" + FieldRE: "Auths|HTTPHeaders" +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" + TypeRE: "dockerConfigEntryWithAuth" + FieldRE: "Password|Auth" +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp" + TypeRE: "tokenBlob" + FieldRE: "AccessToken" +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider" + TypeRE: "AuthConfig" + FieldRE: "Password|Auth|IdentityToken|RegistryToken" + +# The following fields are tagged in #96008 +- PackageRE: "k8s.io/kubernetes/pkg/controller/certificates/authority" + TypeRE: "CertificateAuthority" + FieldRE: "RawKey" # Sinks are functions that should not be called with source or source-tainted arguments. # This configuration should capture all log unfiltered log calls. Sinks: - - PackageRE: "\bk?log\b" - ReceiverRE: "" - MethodRE: "Info|Warning|Error|Fatal|Exit" - - PackageRE: "\bk?log\b" - ReceiverRE: "Verbose" - MethodRE: "Info|Error" +- PackageRE: "k?log" + # Empty regexp receiver will match both top-level klog functions and klog.Verbose methods. + ReceiverRE: "" + MethodRE: "Info|Warning|Error|Fatal|Exit" # Sanitizers permit a source to reach a sink by explicitly removing the source data. Sanitizers: - - PackageRE: "k8s.io/client-go/transport" - MethodRE: "maskValue" +# maskValue strips bearer tokens from request headers +- PackageRE: "k8s.io/client-go/transport" + MethodRE: "maskValue" # False positives may be suppressed here. # Exclude reporting within a given function by specifying it similar to Sinks, i.e., # PackageRE | ReceiverRE | MethodRE regexp -Exclude: [] +Exclude: +# Corrected in #97000 +- PackageRE: "k8s.io/kubernetes/cmd/kubelet/app" + # Regexp matches anonymized inner function + MethodRE: "initConfigz|NewKubeletCommand|run" +# Corrected by go-flow-levee version update in #96999 +- PackageRE: "pkg/credentialprovider" + ReceiverRE: "BasicDockerKeyring" + MethodRE: "Add" +# Corrected in #96576. +- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp" + ReceiverRE: "containerRegistryProvider" + MethodRE: "Provide"