Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explore entrypoint binary redacting secrets from logs #3373

Open
Tracked by #7418
imjasonh opened this issue Oct 12, 2020 · 14 comments
Open
Tracked by #7418

Explore entrypoint binary redacting secrets from logs #3373

imjasonh opened this issue Oct 12, 2020 · 14 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@imjasonh
Copy link
Member

Stemmed from #3365 though there have been other cases it's come up.

Today, if the user specifies a script: without shebang, we assume #!/bin/bash and set -euxo pipefail -- we consider this a reasonable default script preamble, but set -x especially can surprise some users that might be using secrets in their script, and don't expect those to be emitted to output logs. One solution (as described in #3365) is to set your own preamble or to otherwise disable -x so commands aren't logged.

But we might be able to do better. The entrypoint binary we inject to run the user's command (including scripts), today passes the sub-command's stdout directly to its own stdout (same with stderr). It could consider doing something smarter in this case, and take a set of byte sequences to redact from stdout/stderr, which could be passed as secret references into the Pod.

The entrypoint binary could then place this filter around stdout and stderr to replace detected secrets with some descriptive placeholder like [REDACTED], instead of passing through potentially sensitive valeus to logs.

Considerations:

  • Performance overhead passing all user logs through our filter
  • Limitations we should impose on filtering -- the target is presumably short-ish byte sequences (passwords and keys), not gigabytes of sensitive text
  • Use cases where a user might want some secret value to be emitted through stdout/stderr, or would otherwise be surprised to find it being redacted
  • User configuration to disable filtering, including rollout strategy to make it opt-in (and eventually opt-out?) -- should it be a per-run configuration, or per-installation feature flag?
  • e2e tests we could write to check that filtering works

/kind feature
@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 12, 2020
@imjasonh imjasonh mentioned this issue Oct 12, 2020
Closed
@ghost ghost mentioned this issue Oct 12, 2020
Closed
@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 10, 2021
@vdemeester
Copy link
Member

/remove-lifecycle stale

This still needs investigation

@tekton-robot tekton-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 12, 2021
@renannprado
Copy link

@imjasonh I'm not sure where this discussion would belong, but would be nice if Tekton also considers "secret parameters".

e.g. so that if I have a task whose output is a token (secret) I can pass to the next step seamlessly without having to create a k8s secret in order to have it [REDACTED] later.

@imjasonh
Copy link
Member Author

imjasonh commented Mar 3, 2021

@renannprado I think "secret params" (or results) would be a separate issue, though it might end up sharing the same redaction code. Results today are very much not secret, and shouldn't be treated as such. Anybody who can view a TaskRun's underlying Pod status can see results data, whether or not they have access to the TaskRun, etc. Redacting from logs could be useful, but we'd need to close that hole too before we recommend people put sensitive data in results.

@renannprado
Copy link

renannprado commented Mar 4, 2021
edited
Loading

@imjasonh do you have interest in developing this feature? it doesn't seem very complicated to develop (I guess it depends on how hard is it to get the metadata to the pipeline inside of this method hehe), maybe I could develop it if some guidance/mentoring is provided. Of course, after developing it, I would love to contribute to a feature like the "secret parameters" too, but that's another story :)

@prashant-juluri
Copy link

A small suggestion but it might go a long way in enterprise adoption. Rather than show a static "redacted" message, why not show the key of the secret itself. That way, the users have a way of identifying which secret it is.

Secrets can differ across environments. Typically you may have different secrets driven by DBs for specific environment such as Dev, staging prod.

Would love to hear more on this!

@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 21, 2021
@tekton-robot
Copy link
Collaborator

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 14, 2021
@tekton-robot
Copy link
Collaborator

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

@tekton-robot
Copy link
Collaborator

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@renannprado
Copy link

IMHO redacting secrets is important and has to be implemented.

/reopen

@tekton-robot
Copy link
Collaborator

@renannprado: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

IMHO redacting secrets is important and has to be implemented.

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Useurmind Useurmind mentioned this issue May 5, 2022
Closed
5 tasks
@afrittoli
Copy link
Member

/remove-lifecycle rotten
/lifecycle frozen
/reopen

@tekton-robot
Copy link
Collaborator

@afrittoli: Reopened this issue.

In response to this:

/remove-lifecycle rotten
/lifecycle frozen
/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tekton-robot tekton-robot reopened this May 25, 2022
@tekton-robot tekton-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. labels May 25, 2022
@ericgraf ericgraf mentioned this issue Mar 2, 2023
Closed
2 tasks
@afrittoli afrittoli mentioned this issue Nov 25, 2023
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
Tekton Community Roadmap
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
6 participants
@vdemeester @imjasonh @afrittoli @renannprado @tekton-robot @prashant-juluri