mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 11:21:47 +00:00
Update config for go-flow-levee analysis
* Remove \b boundary for sinks; Unicode backspace \b != regexp boundary \b. * Specify those source type fields that have not yet been tagged. * Add exclusions for current false-positive set.
This commit is contained in:
Patrick Rhomberg
parent
e0c587bf4f
commit
6488e89f96
162
hack/testdata/levee/levee-config.yaml
vendored
162
hack/testdata/levee/levee-config.yaml
vendored
@ -1,3 +1,17 @@
|
||||
# Copyright 2015 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# This file holds configuration for taint propagation analysis of Kubernetes source via go-flow-levee.
|
||||
# It defines sources which may contain credentials and sinks where these should not be logged.
|
||||
# Sources may be identified by the FieldTags element, or by matching package, type, and field explicitly in the Sources element.
|
||||
@ -5,7 +19,9 @@
|
||||
# False positives may be suppressed in the Exclude block.
|
||||
# Note that `*RE` keys have regexp values.
|
||||
---
|
||||
# These field tags were introduced by KEP-1753 to fields which may contain credentials
|
||||
# TODO Refer to documentation link
|
||||
|
||||
# These field tags were introduced by KEP-1753 to indicate fields which may contain credentials
|
||||
FieldTags:
|
||||
- Key: "datapolicy"
|
||||
Val: "security-key"
|
||||
@ -17,44 +33,128 @@ FieldTags:
|
||||
# This preliminary collection of source types should be removed once
|
||||
# KEP-1753 adds tags to the relevant fields.
|
||||
Sources:
|
||||
- PackageRE: ""
|
||||
TypeRE: "^(?:admin)?Secret$|Token"
|
||||
FieldRE: ""
|
||||
- PackageRE: "k8s.io/client-go/tools/clientcmd/api(?:/v1)?"
|
||||
TypeRE: "^(?:Named)?AuthInfo$"
|
||||
FieldRE: ""
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "DockerConfigEntry"
|
||||
FieldRE: "Password"
|
||||
- PackageRE: "k8s.io/client-go/transport"
|
||||
TypeRE: "requestInfo"
|
||||
FieldRE: "RequestHeaders"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/volume/rbd"
|
||||
TypeRE: "rbdMounter"
|
||||
FieldRE: "adminSecret"
|
||||
- PackageRE: "^k8s.io/client-go/rest$"
|
||||
TypeRE: "^TLSClientConfig$"
|
||||
FieldRE: "Password|BearerToken$|"
|
||||
- PackageRE: "^k8s.io/client-go/rest$"
|
||||
TypeRE: "^Config$"
|
||||
FieldRE: "Password|BearerToken$|"
|
||||
# The following fields are tagged in #95994
|
||||
- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
|
||||
TypeRE: "Config"
|
||||
FieldRE: "Password"
|
||||
- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
|
||||
TypeRE: "ConfigFile"
|
||||
FieldRE: "Global" # Global is of unnamed type, contains the field Password.
|
||||
|
||||
# The following fields are tagged in #95997
|
||||
- PackageRE: "k8s.io/kubelet/config/v1beta1"
|
||||
TypeRE: "KubeletConfiguration"
|
||||
FieldRE: "StaticPodURLHeader"
|
||||
|
||||
# The following fields are tagged in #95998
|
||||
- PackageRE: "k8s.io/kube-scheduler/config/v1"
|
||||
TypeRE: "ExtenderTLSConfig"
|
||||
FieldRE: "KeyData"
|
||||
|
||||
# The following fields are tagged in #95600
|
||||
- PackageRE: "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
|
||||
TypeRE: "AuthConfig"
|
||||
FieldRE: "Password|IdentityToken|RegistryToken"
|
||||
|
||||
# The following fields are tagged in #96002
|
||||
- PackageRE: "k8s.io/apiserver/pkg/apis/apiserver" # multiple versions
|
||||
TypeRE: "TLSConfig"
|
||||
FieldRE: "ClientKey"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/apis/config" # multiple versions
|
||||
TypeRE: "Key"
|
||||
FieldRE: "Secret"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/authentication/request/headerrequest"
|
||||
TypeRE: "requestHeaderBundle"
|
||||
FieldRE: "UsernameHeaders|GroupHeaders"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
TypeRE: "certKeyContent"
|
||||
FieldRE: "key"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
TypeRE: "DynamicCertKeyPairContent"
|
||||
FieldRE: "certKeyPair"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/server/options"
|
||||
TypeRE: "RequestHeaderAuthenticationOptions"
|
||||
FieldRE: "UsernameHeaders|GroupHeaders"
|
||||
- PackageRE: "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
|
||||
TypeRE: "endpoint"
|
||||
FieldRE: "AccessToken"
|
||||
|
||||
# The following fields are tagged in #96003
|
||||
- PackageRE: "k8s.io/cli-runtime/pkg/genericclioptions"
|
||||
TypeRE: "ConfigFlags"
|
||||
FieldRE: "BearerToken|Password"
|
||||
|
||||
# The following fields are tagged in #96004
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/apis/config"
|
||||
TypeRE: "KubeletConfiguration"
|
||||
FieldRE: "StaticPodURLHeader"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/client"
|
||||
TypeRE: "KubeletClientConfig"
|
||||
FieldRE: "BearerToken"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/cri/streaming"
|
||||
TypeRE: "cacheEntry"
|
||||
FieldRE: "token"
|
||||
|
||||
# The following fields are tagged in #96005
|
||||
- PackageRE: "k8s.io/api/authentication/v1"
|
||||
TypeRE: "TokenReviewSpec|TokenRequestStatus"
|
||||
FieldRE: " Token"
|
||||
- PackageRE: "k8s.io/api/authentication/v1beta1"
|
||||
TypeRE: "TokenReviewSpec"
|
||||
FieldRE: " Token"
|
||||
|
||||
# The following fields are tagged in #96007
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/azure"
|
||||
TypeRE: "acrAuthResponse"
|
||||
FieldRE: "RefreshToken"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "DockerConfigEntry"
|
||||
FieldRE: "Password"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "DockerConfigJSON"
|
||||
FieldRE: "Auths|HTTPHeaders"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "dockerConfigEntryWithAuth"
|
||||
FieldRE: "Password|Auth"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp"
|
||||
TypeRE: "tokenBlob"
|
||||
FieldRE: "AccessToken"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "AuthConfig"
|
||||
FieldRE: "Password|Auth|IdentityToken|RegistryToken"
|
||||
|
||||
# The following fields are tagged in #96008
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/controller/certificates/authority"
|
||||
TypeRE: "CertificateAuthority"
|
||||
FieldRE: "RawKey"
|
||||
|
||||
# Sinks are functions that should not be called with source or source-tainted arguments.
|
||||
# This configuration should capture all log unfiltered log calls.
|
||||
Sinks:
|
||||
- PackageRE: "\bk?log\b"
|
||||
ReceiverRE: ""
|
||||
MethodRE: "Info|Warning|Error|Fatal|Exit"
|
||||
- PackageRE: "\bk?log\b"
|
||||
ReceiverRE: "Verbose"
|
||||
MethodRE: "Info|Error"
|
||||
- PackageRE: "k?log"
|
||||
# Empty regexp receiver will match both top-level klog functions and klog.Verbose methods.
|
||||
ReceiverRE: ""
|
||||
MethodRE: "Info|Warning|Error|Fatal|Exit"
|
||||
|
||||
# Sanitizers permit a source to reach a sink by explicitly removing the source data.
|
||||
Sanitizers:
|
||||
- PackageRE: "k8s.io/client-go/transport"
|
||||
MethodRE: "maskValue"
|
||||
# maskValue strips bearer tokens from request headers
|
||||
- PackageRE: "k8s.io/client-go/transport"
|
||||
MethodRE: "maskValue"
|
||||
|
||||
# False positives may be suppressed here.
|
||||
# Exclude reporting within a given function by specifying it similar to Sinks, i.e.,
|
||||
# PackageRE | ReceiverRE | MethodRE regexp
|
||||
Exclude: []
|
||||
Exclude:
|
||||
# Corrected in <pending>
|
||||
- PackageRE: "k8s.io/kubernetes/cmd/kubelet/app"
|
||||
# Regexp matches anonymized inner function
|
||||
MethodRE: "initConfigz|NewKubeletCommand|run"
|
||||
# Corrected by go-flow-levee version update in <pending>
|
||||
- PackageRE: "pkg/credentialprovider"
|
||||
ReceiverRE: "BasicDockerKeyring"
|
||||
MethodRE: "Add"
|
||||
# Corrected in #96576.
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp"
|
||||
ReceiverRE: "containerRegistryProvider"
|
||||
MethodRE: "Provide"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user