Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ (kustomize/v1) reduce the debug log level for the sidecar container kube-rbac-proxy from 10 to 0 #2435

Merged
merged 1 commit into from
Dec 3, 2021
Merged

✨ (kustomize/v1) reduce the debug log level for the sidecar container kube-rbac-proxy from 10 to 0 #2435

merged 1 commit into from
Dec 3, 2021

Conversation

geezyx
Copy link
Contributor

@geezyx geezyx commented Dec 2, 2021

This change removes the debug logging flag from the kube-rbac-proxy patch that is generated by default, fixing #2434.

As mentioned in the issue, debug logging outputs bearer tokens of the service account that kube-rbac-proxy is using, which can be used to authenticate and perform any authorized actions that your manager is configured for.

I suppose it's okay to assume that folks using kubebuilder should be auditing the generated configs and catching this type of thing, but for folks (like me) that didn't catch it, defaulting to normal logging levels can prevent some headache.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Dec 2, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @geezyx. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Dec 2, 2021
@rashmigottipati
Copy link
Contributor

/cc @camilamacedo86

camilamacedo86
camilamacedo86 reviewed Dec 2, 2021
View reviewed changes
testdata/project-v3-addon/config/default/manager_auth_proxy_patch.yaml
@@ -15,7 +15,6 @@ spec:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=10"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WDYT about we change to 0, then we would have the same result but would still easier for users know how to debug that if/when required?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like that! I went back and forth between removing and setting it. I'll update to use 0 so that it's more clear that the flag is available if needed. Thank you.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, apologies for the force pushes I had the wrong git config setup 🤦

@camilamacedo86
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 2, 2021
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Dec 3, 2021
edited
Loading

CLA Signed

The committers are authorized under a signed CLA.

@k8s-ci-robot
Copy link
Contributor

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

  • If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
  • If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
  • If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
  • Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Dec 3, 2021
@geezyx geezyx force-pushed the master branch 2 times, most recently from 2fcb5e4 to acae42a Compare December 3, 2021 02:36
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Dec 3, 2021
camilamacedo86
camilamacedo86 requested changes Dec 3, 2021
View reviewed changes
Copy link
Member

@camilamacedo86 camilamacedo86 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is great @geezyx.
Thank you for your contribution.

See that we use the title and mojos to generate the release note. In this way, could you please fix that? :sparkles: (kustomize/v1) reduce the debug log level for the sidecar container kube-rbac-proxy from 10 to 0

More info: https://github.com/kubernetes-sigs/kubebuilder/blob/master/CONTRIBUTING.md#pr-process

Also, before we get the PR merged we need to rebase the commits. Could you please do that?

c/c @varshaprasad96 @rashmigottipati

@geezyx geezyx changed the title 🌱 Remove debug logging from the manager auth proxy patch ✨ (kustomize/v1) reduce the debug log level for the sidecar container kube-rbac-proxy from 10 to 0 Dec 3, 2021
@geezyx
remove debug logging from the manager auth proxy patch
c7d73bc 
update testdata to reflect scaffolding change

keep --v but set to 0 so users are aware of the flag
camilamacedo86
camilamacedo86 approved these changes Dec 3, 2021
View reviewed changes
Copy link
Member

@camilamacedo86 camilamacedo86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 3, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: camilamacedo86, geezyx

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 3, 2021
@k8s-ci-robot k8s-ci-robot merged commit c869ec1 into kubernetes-sigs:master Dec 3, 2021
@camilamacedo86 camilamacedo86 mentioned this pull request Jan 18, 2022
Closed
iamniting added a commit to iamniting/odf-operator that referenced this pull request Nov 10, 2022
@iamniting
bundle: remove debug logging from the manager auth proxy patch
3ab01b1 
Having v=10 dumps sensitive information like tokens, resulting in
information leakage if these logs are obtained. The Kubebuilder
team also made this fix. They are also using v=0 now.

Ref: kubernetes-sigs/kubebuilder#2435

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2136852

Signed-off-by: Nitin Goyal <[email protected]>
@iamniting iamniting mentioned this pull request Nov 10, 2022
Merged
openshift-cherrypick-robot pushed a commit to openshift-cherrypick-robot/odf-operator that referenced this pull request Nov 10, 2022
@iamniting
bundle: remove debug logging from the manager auth proxy patch
0faf1d4 
Having v=10 dumps sensitive information like tokens, resulting in
information leakage if these logs are obtained. The Kubebuilder
team also made this fix. They are also using v=0 now.

Ref: kubernetes-sigs/kubebuilder#2435

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2136852

Signed-off-by: Nitin Goyal <[email protected]>
iamniting added a commit to iamniting/odf-operator that referenced this pull request Feb 15, 2023
@iamniting
bundle: remove debug logging from the manager auth proxy patch
7275f36 
Having v=10 dumps sensitive information like tokens, resulting in
information leakage if these logs are obtained. The Kubebuilder
team also made this fix. They are also using v=0 now.

Ref: kubernetes-sigs/kubebuilder#2435

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2136852

Signed-off-by: Nitin Goyal <[email protected]>
@iamniting iamniting mentioned this pull request Feb 15, 2023
Merged
iamniting added a commit to iamniting/odf-operator that referenced this pull request Feb 20, 2023
@iamniting
bundle: remove debug logging from the manager auth proxy patch
2afdd6a 
Having v=10 dumps sensitive information like tokens, resulting in
information leakage if these logs are obtained. The Kubebuilder
team also made this fix. They are also using v=0 now.

Ref: kubernetes-sigs/kubebuilder#2435

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2136852

Signed-off-by: Nitin Goyal <[email protected]>
@iamniting iamniting mentioned this pull request Feb 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@camilamacedo86 camilamacedo86 camilamacedo86 approved these changes

@Adirio Adirio Awaiting requested review from Adirio

Assignees

@camilamacedo86 camilamacedo86

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@geezyx @k8s-ci-robot @rashmigottipati @camilamacedo86