From 4ab48011398e7e286839b8815337176237c915c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20L=C3=A9vesque-Dion?= Date: Tue, 1 Dec 2020 18:36:48 -0500 Subject: [PATCH 1/4] avoid logging kubelet configuration headers --- cmd/kubelet/app/server.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index ff7e05feec1..cdc5babe350 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -263,8 +263,14 @@ HTTP server: The kubelet can also listen for HTTP and respond to a simple API // set up signal context here in order to be reused by kubelet and docker shim ctx := genericapiserver.SetupSignalContext() - // run the kubelet + // make kubelet configuration safe for logging + for k := range kubeletServer.KubeletConfiguration.StaticPodURLHeader { + kubeletServer.KubeletConfiguration.StaticPodURLHeader[k] = []string{""} + } + klog.V(5).Infof("KubeletConfiguration: %#v", kubeletServer.KubeletConfiguration) + + // run the kubelet if err := Run(ctx, kubeletServer, kubeletDeps, utilfeature.DefaultFeatureGate); err != nil { klog.Fatal(err) } From ec271c0e4f55e64b50f387065c043a2698e39089 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20L=C3=A9vesque-Dion?= Date: Wed, 2 Dec 2020 12:57:17 -0500 Subject: [PATCH 2/4] use a copy of the config --- cmd/kubelet/app/server.go | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index cdc5babe350..7567615c0d1 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -75,6 +75,7 @@ import ( "k8s.io/kubernetes/pkg/credentialprovider" "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/kubelet" + kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" kubeletconfiginternal "k8s.io/kubernetes/pkg/kubelet/apis/config" kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/config/scheme" kubeletconfigvalidation "k8s.io/kubernetes/pkg/kubelet/apis/config/validation" @@ -263,12 +264,8 @@ HTTP server: The kubelet can also listen for HTTP and respond to a simple API // set up signal context here in order to be reused by kubelet and docker shim ctx := genericapiserver.SetupSignalContext() - // make kubelet configuration safe for logging - for k := range kubeletServer.KubeletConfiguration.StaticPodURLHeader { - kubeletServer.KubeletConfiguration.StaticPodURLHeader[k] = []string{""} - } - - klog.V(5).Infof("KubeletConfiguration: %#v", kubeletServer.KubeletConfiguration) + // log the kubelet's config for inspection + logConfig(kubeletServer.KubeletConfiguration) // run the kubelet if err := Run(ctx, kubeletServer, kubeletDeps, utilfeature.DefaultFeatureGate); err != nil { @@ -307,6 +304,15 @@ func newFlagSetWithGlobals() *pflag.FlagSet { return fs } +// logConfig logs the kubelet's configuration. +// Special care is taken to avoid logging sensitive parts of the configuration. +func logConfig(config kubeletconfig.KubeletConfiguration) { + for k := range config.StaticPodURLHeader { + config.StaticPodURLHeader[k] = []string{""} + } + klog.V(5).Infof("KubeletConfiguration: %#v", config) +} + // newFakeFlagSet constructs a pflag.FlagSet with the same flags as fs, but where // all values have noop Set implementations func newFakeFlagSet(fs *pflag.FlagSet) *pflag.FlagSet { From 0841b13e37197006d61ea3dfc322e492c212083b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20L=C3=A9vesque-Dion?= Date: Wed, 2 Dec 2020 14:44:11 -0500 Subject: [PATCH 3/4] use deepcopy to actually operate on a copy --- cmd/kubelet/app/server.go | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 7567615c0d1..0f2f8d99a8e 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -75,7 +75,6 @@ import ( "k8s.io/kubernetes/pkg/credentialprovider" "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/kubelet" - kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" kubeletconfiginternal "k8s.io/kubernetes/pkg/kubelet/apis/config" kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/config/scheme" kubeletconfigvalidation "k8s.io/kubernetes/pkg/kubelet/apis/config/validation" @@ -264,8 +263,13 @@ HTTP server: The kubelet can also listen for HTTP and respond to a simple API // set up signal context here in order to be reused by kubelet and docker shim ctx := genericapiserver.SetupSignalContext() + // make the kubelet's config safe for logging + config := kubeletServer.KubeletConfiguration.DeepCopy() + for k := range config.StaticPodURLHeader { + config.StaticPodURLHeader[k] = []string{""} + } // log the kubelet's config for inspection - logConfig(kubeletServer.KubeletConfiguration) + klog.V(5).Infof("KubeletConfiguration: %#v", config) // run the kubelet if err := Run(ctx, kubeletServer, kubeletDeps, utilfeature.DefaultFeatureGate); err != nil { @@ -304,15 +308,6 @@ func newFlagSetWithGlobals() *pflag.FlagSet { return fs } -// logConfig logs the kubelet's configuration. -// Special care is taken to avoid logging sensitive parts of the configuration. -func logConfig(config kubeletconfig.KubeletConfiguration) { - for k := range config.StaticPodURLHeader { - config.StaticPodURLHeader[k] = []string{""} - } - klog.V(5).Infof("KubeletConfiguration: %#v", config) -} - // newFakeFlagSet constructs a pflag.FlagSet with the same flags as fs, but where // all values have noop Set implementations func newFakeFlagSet(fs *pflag.FlagSet) *pflag.FlagSet { From 046ec59a8b3b7c8a7dec6fc6823fb673b77277cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20L=C3=A9vesque-Dion?= Date: Thu, 3 Dec 2020 11:01:41 -0500 Subject: [PATCH 4/4] use 'masked' instead of 'redacted' --- cmd/kubelet/app/server.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 0f2f8d99a8e..1578d328a28 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -266,7 +266,7 @@ HTTP server: The kubelet can also listen for HTTP and respond to a simple API // make the kubelet's config safe for logging config := kubeletServer.KubeletConfiguration.DeepCopy() for k := range config.StaticPodURLHeader { - config.StaticPodURLHeader[k] = []string{""} + config.StaticPodURLHeader[k] = []string{""} } // log the kubelet's config for inspection klog.V(5).Infof("KubeletConfiguration: %#v", config)