diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta3/bootstraptokenstring.go b/cmd/kubeadm/app/apis/kubeadm/v1beta3/bootstraptokenstring.go index 4df782b29ad..86dc8561e5a 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1beta3/bootstraptokenstring.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1beta3/bootstraptokenstring.go @@ -31,8 +31,8 @@ import ( // of view and as an authentication method for the node in the bootstrap phase of // "kubeadm join". This token is and should be short-lived type BootstrapTokenString struct { - ID string `json:"-"` - Secret string `json:"-"` + ID string `json:"-" datapolicy:"token"` + Secret string `json:"-" datapolicy:"token"` } // MarshalJSON implements the json.Marshaler interface. diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta3/doc.go b/cmd/kubeadm/app/apis/kubeadm/v1beta3/doc.go index 38933fbfcda..1562b7e97bd 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1beta3/doc.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1beta3/doc.go @@ -27,6 +27,8 @@ limitations under the License. // Kubeadm no longer supports the hyperkube image. // - The "ClusterConfiguration.DNS.Type" field has been removed since CoreDNS is the only supported // DNS server type by kubeadm. +// - Include "datapolicy" tags on the fields that hold secrets. +// This would result in the field values to be omitted when API structures are printed with klog. // // Migration from old kubeadm config versions // diff --git a/cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go b/cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go index 2f92301bd1a..adcf7d5eece 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go @@ -202,7 +202,7 @@ type Networking struct { type BootstrapToken struct { // Token is used for establishing bidirectional trust between nodes and control-planes. // Used for joining nodes in the cluster. - Token *BootstrapTokenString `json:"token"` + Token *BootstrapTokenString `json:"token" datapolicy:"token"` // Description sets a human-friendly message why this token exists and what it's used // for, so other administrators can know its purpose. Description string `json:"description,omitempty"` @@ -315,7 +315,7 @@ type Discovery struct { // TLSBootstrapToken is a token used for TLS bootstrapping. // If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token, but can be overridden. // If .File is set, this field **must be set** in case the KubeConfigFile does not contain any other authentication information - TLSBootstrapToken string `json:"tlsBootstrapToken,omitempty"` + TLSBootstrapToken string `json:"tlsBootstrapToken,omitempty" datapolicy:"token"` // Timeout modifies the discovery timeout Timeout *metav1.Duration `json:"timeout,omitempty"` @@ -325,7 +325,7 @@ type Discovery struct { type BootstrapTokenDiscovery struct { // Token is a token used to validate cluster information // fetched from the control-plane. - Token string `json:"token"` + Token string `json:"token" datapolicy:"token"` // APIServerEndpoint is an IP or domain name to the API server from which info will be fetched. APIServerEndpoint string `json:"apiServerEndpoint,omitempty"` @@ -337,7 +337,7 @@ type BootstrapTokenDiscovery struct { // where the only currently supported type is "sha256". This is a hex-encoded // SHA-256 hash of the Subject Public Key Info (SPKI) object in DER-encoded // ASN.1. These hashes can be calculated using, for example, OpenSSL. - CACertHashes []string `json:"caCertHashes,omitempty"` + CACertHashes []string `json:"caCertHashes,omitempty" datapolicy:"security-key"` // UnsafeSkipCAVerification allows token-based discovery // without CA verification via CACertHashes. This can weaken