use a copy of the config

cmd/kubelet/app/server.go

@@ -75,6 +75,7 @@ import (
 	"k8s.io/kubernetes/pkg/credentialprovider"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet"
+	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	kubeletconfiginternal "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/config/scheme"
 	kubeletconfigvalidation "k8s.io/kubernetes/pkg/kubelet/apis/config/validation"
@@ -263,12 +264,8 @@ HTTP server: The kubelet can also listen for HTTP and respond to a simple API
 			// set up signal context here in order to be reused by kubelet and docker shim
 			ctx := genericapiserver.SetupSignalContext()
 
-			// make kubelet configuration safe for logging
-			for k := range kubeletServer.KubeletConfiguration.StaticPodURLHeader {
-				kubeletServer.KubeletConfiguration.StaticPodURLHeader[k] = []string{"<redacted>"}
-			}
-
-			klog.V(5).Infof("KubeletConfiguration: %#v", kubeletServer.KubeletConfiguration)
+			// log the kubelet's config for inspection
+			logConfig(kubeletServer.KubeletConfiguration)
 
 			// run the kubelet
 			if err := Run(ctx, kubeletServer, kubeletDeps, utilfeature.DefaultFeatureGate); err != nil {
@@ -307,6 +304,15 @@ func newFlagSetWithGlobals() *pflag.FlagSet {
 	return fs
 }
 
+// logConfig logs the kubelet's configuration.
+// Special care is taken to avoid logging sensitive parts of the configuration.
+func logConfig(config kubeletconfig.KubeletConfiguration) {
+	for k := range config.StaticPodURLHeader {
+		config.StaticPodURLHeader[k] = []string{"<redacted>"}
+	}
+	klog.V(5).Infof("KubeletConfiguration: %#v", config)
+}
+
 // newFakeFlagSet constructs a pflag.FlagSet with the same flags as fs, but where
 // all values have noop Set implementations
 func newFakeFlagSet(fs *pflag.FlagSet) *pflag.FlagSet {