From ec271c0e4f55e64b50f387065c043a2698e39089 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20L=C3=A9vesque-Dion?=
 <mlevesquedion@google.com>
Date: Wed, 2 Dec 2020 12:57:17 -0500
Subject: [PATCH] use a copy of the config

---
 cmd/kubelet/app/server.go | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go
index cdc5babe350..7567615c0d1 100644
--- a/cmd/kubelet/app/server.go
+++ b/cmd/kubelet/app/server.go
@@ -75,6 +75,7 @@ import (
 	"k8s.io/kubernetes/pkg/credentialprovider"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet"
+	kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	kubeletconfiginternal "k8s.io/kubernetes/pkg/kubelet/apis/config"
 	kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/config/scheme"
 	kubeletconfigvalidation "k8s.io/kubernetes/pkg/kubelet/apis/config/validation"
@@ -263,12 +264,8 @@ HTTP server: The kubelet can also listen for HTTP and respond to a simple API
 			// set up signal context here in order to be reused by kubelet and docker shim
 			ctx := genericapiserver.SetupSignalContext()
 
-			// make kubelet configuration safe for logging
-			for k := range kubeletServer.KubeletConfiguration.StaticPodURLHeader {
-				kubeletServer.KubeletConfiguration.StaticPodURLHeader[k] = []string{"<redacted>"}
-			}
-
-			klog.V(5).Infof("KubeletConfiguration: %#v", kubeletServer.KubeletConfiguration)
+			// log the kubelet's config for inspection
+			logConfig(kubeletServer.KubeletConfiguration)
 
 			// run the kubelet
 			if err := Run(ctx, kubeletServer, kubeletDeps, utilfeature.DefaultFeatureGate); err != nil {
@@ -307,6 +304,15 @@ func newFlagSetWithGlobals() *pflag.FlagSet {
 	return fs
 }
 
+// logConfig logs the kubelet's configuration.
+// Special care is taken to avoid logging sensitive parts of the configuration.
+func logConfig(config kubeletconfig.KubeletConfiguration) {
+	for k := range config.StaticPodURLHeader {
+		config.StaticPodURLHeader[k] = []string{"<redacted>"}
+	}
+	klog.V(5).Infof("KubeletConfiguration: %#v", config)
+}
+
 // newFakeFlagSet constructs a pflag.FlagSet with the same flags as fs, but where
 // all values have noop Set implementations
 func newFakeFlagSet(fs *pflag.FlagSet) *pflag.FlagSet {