Merge pull request #53559 from fabriziopandini/kubeadm485

Automatic merge from submit-queue (batch tested with PRs 53204, 53364, 53559, 53589, 53088). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Strip tokens from `kubeadm-config` config map **What this PR does / why we need it**: When kubeadm 1.8 create a cluster stores a `kubeadm-config` config map with all the info used for initialising the cluster. This PR removes the kubeadm join token - which is a sensitive information - from this config map. **Which issue this PR fixes** [#485](https://github.com/kubernetes/kubeadm/issues/485) **Special notes for your reviewer**: This fixes all the subcommands that touch `kubeadm-config` config map, namely: - kubeadm init - kubeadm config upload - kubeadm upgrade ```release-note kubeadm: Strip bootstrap tokens from the `kubeadm-config` ConfigMap ```
2025-07-31 15:25:57 +00:00 · 2017-10-11 15:14:42 -07:00 · 2017-10-11 15:14:42 -07:00 · 95c2609a6f
commit 95c2609a6f
parent efa17f5c45 c266f764ec
2 changed files with 8 additions and 0 deletions
--- a/cmd/kubeadm/app/phases/uploadconfig/uploadconfig.go
+++ b/cmd/kubeadm/app/phases/uploadconfig/uploadconfig.go
@ -40,6 +40,9 @@ func UploadConfiguration(cfg *kubeadmapi.MasterConfiguration, client clientset.I
 	externalcfg := &kubeadmapiext.MasterConfiguration{}
 	api.Scheme.Convert(cfg, externalcfg, nil)

+	// Removes sensitive info from the data that will be stored in the config map
+	externalcfg.Token = ""
+
 	cfgYaml, err := yaml.Marshal(*externalcfg)
 	if err != nil {
 		return err
--- a/cmd/kubeadm/app/phases/uploadconfig/uploadconfig_test.go
+++ b/cmd/kubeadm/app/phases/uploadconfig/uploadconfig_test.go
@ -64,6 +64,7 @@ func TestUploadConfiguration(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			cfg := &kubeadmapi.MasterConfiguration{
 				KubernetesVersion: "1.7.3",
+				Token:             "1234567",
 			}
 			client := clientsetfake.NewSimpleClientset()
 			if tt.errOnCreate != nil {
@ -108,6 +109,10 @@ func TestUploadConfiguration(t *testing.T) {
 				if decodedCfg.KubernetesVersion != cfg.KubernetesVersion {
 					t.Errorf("Decoded value doesn't match, decoded = %#v, expected = %#v", decodedCfg.KubernetesVersion, cfg.KubernetesVersion)
 				}
+
+				if decodedCfg.Token != "" {
+					t.Errorf("Decoded value contains token (sensitive info), decoded = %#v, expected = empty", decodedCfg.Token)
+				}
 			}
 		})
 	}