Strip tokens from kubeadm-config config map

2025-07-30 15:05:27 +00:00 · 2017-10-07 14:40:48 +02:00 · 2017-10-07 14:40:48 +02:00 · c266f764ec
commit c266f764ec
parent 2d1626028e
2 changed files with 8 additions and 0 deletions
--- a/cmd/kubeadm/app/phases/uploadconfig/uploadconfig.go
+++ b/cmd/kubeadm/app/phases/uploadconfig/uploadconfig.go
@ -40,6 +40,9 @@ func UploadConfiguration(cfg *kubeadmapi.MasterConfiguration, client clientset.I
 	externalcfg := &kubeadmapiext.MasterConfiguration{}
 	api.Scheme.Convert(cfg, externalcfg, nil)

+	// Removes sensitive info from the data that will be stored in the config map
+	externalcfg.Token = ""
+
 	cfgYaml, err := yaml.Marshal(*externalcfg)
 	if err != nil {
 		return err
--- a/cmd/kubeadm/app/phases/uploadconfig/uploadconfig_test.go
+++ b/cmd/kubeadm/app/phases/uploadconfig/uploadconfig_test.go
@ -64,6 +64,7 @@ func TestUploadConfiguration(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			cfg := &kubeadmapi.MasterConfiguration{
 				KubernetesVersion: "1.7.3",
+				Token:             "1234567",
 			}
 			client := clientsetfake.NewSimpleClientset()
 			if tt.errOnCreate != nil {
@ -108,6 +109,10 @@ func TestUploadConfiguration(t *testing.T) {
 				if decodedCfg.KubernetesVersion != cfg.KubernetesVersion {
 					t.Errorf("Decoded value doesn't match, decoded = %#v, expected = %#v", decodedCfg.KubernetesVersion, cfg.KubernetesVersion)
 				}
+
+				if decodedCfg.Token != "" {
+					t.Errorf("Decoded value contains token (sensitive info), decoded = %#v, expected = empty", decodedCfg.Token)
+				}
 			}
 		})
 	}