kube backend: prevent secrets from leaking to Kubernetes apiserver logs (#5196)

2025-09-03 09:48:36 +00:00 · 2025-06-14 23:44:33 +03:00
parent d5537e6fa5
commit 5e052f5579
9 changed files with 297 additions and 15 deletions
--- a/pipeline/backend/kubernetes/kubernetes.go
+++ b/pipeline/backend/kubernetes/kubernetes.go
@@ -233,6 +233,13 @@ func (e *kube) StartStep(ctx context.Context, step *types.Step, taskUUID string)
 		}
 	}

+	if needsStepSecret(step) {
+		err = startStepSecret(ctx, e, step)
+		if err != nil {
+			return err
+		}
+	}
+
 	log.Trace().Str("taskUUID", taskUUID).Msgf("starting step: %s", step.Name)
 	_, err = startPod(ctx, e, step, options)
 	return err
@@ -398,6 +405,13 @@ func (e *kube) DestroyStep(ctx context.Context, step *types.Step, taskUUID strin
 		}
 	}

+	if needsStepSecret(step) {
+		err := stopStepSecret(ctx, e, step, defaultDeleteOptions)
+		if err != nil {
+			errs = append(errs, err)
+		}
+	}
+
 	err := stopPod(ctx, e, step, defaultDeleteOptions)
 	if err != nil {
 		errs = append(errs, err)